Yahoo hack steals 400,000 passwords. Is yours on the list?(Read article summary)
A Yahoo hack compromises 400,000 accounts. Here's how to see if yours was stolen.
Yahoo, which has taken its share of hits in the last few years, added another black mark against it today when the theft of more than 400,000 accounts and as many as 450,000, including email addresses and passwords,Â was discovered.
The hacked emails and passwords were posted in a large text file.
The theft has been credited to a black-hat hacking crew called D33D, who most likely breached the server for Yahoo Voices, previously known as Associated Content, with an SQL injection hack. Because Yahoo purchased Associated Content in 2010, many non-Yahoo identities have been breached, including some with Google and AOL emails.
According to the Guardian, some names date back to 2006 and may be from an old list.
Seeing one's users hacked is bad news to begin with for any company, but it appears that the passwords stolen from Yahoo wereÂ not encrypted. As Information WeekÂ noted, this could put Yahoo in position to be prosecuted. Yahoo has claimed publicly that the information was protected. However if it turns out that such data was not encrypted properly, a court may find those claims to be fraudulent. As security researcher Christopher Soghoian tweeted, âStrong chance of FTC deception case re: Yahoo password breach via claim it maintains reasonable electronic safeguards.â
CNETÂ sorted through the hacked passwords to discover sequential numbers were used 2,295 times. Among the most popular passwords in the file were â123456,â â111111,â âpasswordâ andÂ âpasswordâ plus numbers.
The hackers told several publications âWe hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call.â By so doing, D33D make a claim for being do-gooders. âThere have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."
If you have used Yahoo Voices or Associated Content, DazzlepodÂ has made the information searchable by account name.