Yahoo plays down size of password breach
Search giant claims just five per cent of the 450,000 leaked logins are valid.
Search giant Yahoo claims less than five per cent of the login details posted online by hackers this week had valid passwords. As reported by IT Pro yesterday, the usernames and passwords of 453,491 members of the firm's content sharing site, Yahoo Voices, were posted online by hacking group D33Ds.
The group are understood to have employed a Union-based SQL injection attack to obtain the data.
US security site TrustedSec noted in a blog earlier this week that Gmail and Aol email addresses were also contained in the hacking group's post.
Yahoo has since confirmed the authenticity of the data in a statement and blamed the leak on an unspecified vulnerability.
"We confirm that an older file...containing approximately 450,000 Yahoo and other company user names and passwords were compromised [on] 11 July," said the statement.
"Of these, less than five per cent of the Yahoo accounts had valid passwords."The company is contacting affected users and changing their passwords, the statement added.
"We apologise to all affected users [and] encourage users to change their passwords on a regular basis," it concluded.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
However, while Yahoo seem intent on playing down the size and impact of the breach, security vendor Imperva said the hackers may have obtained more than just passwords and usernames.
"The usernames and passwords seem to be obsolete, but the published filed suggests that the hackers gained access to the whole database and were able to view some private data [belonging to these] 450,000 users," said Rob Rachwald, director of security strategy at Imperva.
"To add insult to injury, the passwords were stored in clear text and not encoded. [You would have thought] the recent LinkedIn breach would have encouraged change, but no. This episode will only inspire hackers worldwide."