Some 450,000 Yahoo users' email addresses and passwords have been leaked because of a security breach, the company confirmed Thursday, adding that just a small fraction of the stolen passwords were valid.
The company said in a statement that an "old file" from the Yahoo Contributor Network
was compromised Wednesday. Among the stolen emails and passwords were
many from Yahoo's own email service along with those of other companies.
The Yahoo Contributor Network is a content-sharing platform.
Yahoo
said it is fixing the vulnerability that led to the disclosure,
changing the passwords of affected Yahoo users, and notifying other
companies whose users' accounts may have been compromised.
"We apologize to all affected users," the company statement said.
Technology
news websites including CNET, Ars Technica, and Mashable identified the
hackers behind the attack as a little-known outfit calling itself the
D33D Company. The group was quoted as saying it had stolen the unencrypted passwords
using an SQL injection — the name given to a commonly used attack in
which hackers use rogue commands to extract data from vulnerable
websites.
"We hope that the
parties responsible for managing the security of this subdomain will
take this as a wake-up call," the group was quoted as saying.
Online
security experts said Yahoo might have done more to protect the stored
passwords, with Ohio-based TrustedSec describing the Internet giant's
decision not to encrypt them as "most alarming."
Nevertheless,
the haul does not appear as useful to hackers as they might have
thought. Yahoo cautioned that only 5 percent of passwords associated
with its account holders were valid.
It
was not immediately possible to contact the Ukraine-registered website
associated with D33D Company. Its contact form was inoperable Thursday,
while an email address and a phone number attributed to the site's
registrant appeared to be invalid.
Retweet this story
No comments:
Post a Comment