450,000 Yahoo Voice passwords stolen


The beleaguered Internet company Yahoo! has another crisis on its hands: 450,000 user email addresses and passwords stolen from its user-generated content service, Yahoo! Voices.

Even worse, all the passwords were stored unencrypted, or in “plaintext,” right out there for anyone to read.

A hacking group calling itself “D33ds Company” posted the data on its own website which only partially accessible this morning (July 12).

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” read a note at the end of the posting, according to Ars Technica.

“There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”

However, it turned out the Yahoo! subdomain was in fact included by accident, which tipped off the security company TrustedSec that the user data belonged to Yahoo! Voices, previously known as Associated Content.

“We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11,” a Yahoo! spokesman told SecurityNewsDaily via email. “Of these, less than 5 percent of the Yahoo! accounts had valid passwords.”

“We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised,” the spokesman said. “We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.”

The D33ds Company posting said the crew had used a SQL injection attack, in which specially crafted bits of code are inserted into a Web-page form field or browser address bar to make a database behave erratically. SQL injections are fairly common and many database administrators routinely test their systems to prevent such attacks.

Treasure trove of dumb passwords

Any time there’s a big password breach, security experts get to work analyzing the data.

Anders Nilsson of the Slovakian security company ESET broke down the Yahoo! Voices data and found that the most common password was “123456,” followed by “password” and “welcome.” The most common password length was eight characters, and fully one-third of the passwords contained only lower-case letters.

Yahoo! Voices’ administrators made a big mistake storing the passwords in plaintext, but all users need to bolster their own security as well. Make passwords harder to guess by making them more than eight characters long, and pepper them with upper-case letters, numbers and punctuation marks.

From crisis to crisis

Yahoo! Voices started out several years ago as Associated Content, a so-called “content farm” that aggregated thousands of hastily written articles in an effort to draw search-engine traffic.

Yahoo! bought Associated Content two years ago, and last December rebranded it as Yahoo! Voices and shifted its focus to content generated by Yahoo! users.

(Yahoo! Voices should not be confused with Yahoo! Voice, a voice-over-Internet service associated with Yahoo! Messenger, Yahoo!’s instant-messaging service.)

It’s not clear how old the user data is, or whether the decision to store passwords in plaintext was Associated Content’s or Yahoo!’s. But Yahoo!’s information-technology team should have corrected the error nonetheless.

Everyone who’s ever registered with Associated Content or Yahoo! Voices should change their passwords for that account immediately, and do the same for any other account that used the same password or registered email address.

Yahoo! was one of the early Web’s first search engines and quickly grew into an all-encompassing “portal,” offering news, email and instant-messaging services, movie listings and virtually anything else you could think of doing online.

But since it refused a buyout offer from Microsoft in 2008, Yahoo!’s been struggling to find its way, with top executives rotating in and out, thousands of employees being laid off and its stock price plummeting.

In May, Yahoo!’s chief executive officer was forced to resign five months into the job after it was learned he’d falsified his résumé to make it appear he had a degree in computer science.

Editor’s note: This article replaces a previous report from Reuters, saying that the hack affected the Yahoo! Voice VOIP service. The source of the statement, the TrustedSec security consultancy firm, has updated its report to verify that it was, in fact, the Yahoo! Voices site.