Broadband Tech > Security > Security > Nearly Half a Million Yahoo Passwords Leaked

Nearly Half a Million Yahoo Passwords Leaked

Apparently hacked via Voices, a Yahoo social networking news service, go figure.

I changed mine just in case, can't hurt eh?

reply to antdude
• Also spotted on Tech Radar this morning:

From: Ubergizmo
From: The Verge
From: SecurityWeek

First order of business would to at least overview your whole account and at least change the password, at a minimum.

reply to antdude
here is a tool where people supposedly can check to see if their accounts were included in the leaded data:

»labs.sucuri.net/?yahooleak

i checked all of my email addresses.. the tool reported that none of them were included in the leaked data..

i had already changed my passwords for my yahoo accounts but i wondered if the new passwords wouldn't be captured, too.. the news articles say that yahoo is still working on the problem so it hasn't been fixed, yet, which means that my new passwords could be captured the same as the old ones.. uhg!

reply to caffeinator

reply to antdude
»betanews.com/2012/07/12/yahoo-ha···assword/ for the password patterns.

reply to antdude
Something is weird here, according to this: »blog.sucuri.net/2012/07/analysis···sed.html

It's not just yahoo emails in the dump, but addys used for Yahoo Voices. (it's an eHow publishing platform I think)

quote:

---

comments:

Virtual Copy
Actually, the leak is of Yahoo! Voices, formerly Associated Content and of the Yahoo! Contributor Network. None of us have been officially notified as of yet by Yahoo staff.

Matt Busse
As Virtual Copy notes in these comments, Yahoo Voices / the Yahoo Contributor Network, from which the leak came, had acquired Associated Content, a user-contributed-articles site similar to eHow.com. That might explain why 101 passwords were the word “associated” (and perhaps why 164 were “writer”), and might also explain why so few have the word “yahoo” in them.

---

reply to redwolfe_98

reply to redwolfe_98
Thank you. I just checked and we're OK. Still, a change might be the thing to do. Can't hurt.

Does the leak effect yahoo email or just the Yahoo Voices accounts?

Edit: here's another way to check if your user name/pw was leaked. List of the user names leaked:
»dazzlepod.com/yahoo/

reply to antdude

quote:

---

but it wasn't just credentials for Yahoo, but also Gmail, AOL, Comcast, Hotmail, MSN, SBC Global, BellSouth, Verizon and Live.com as well

---

reply to antdude
Update: Yahoo's massive data breach includes Gmail, Hotmail, Comcast user names and passwords

quote:

---

Yahoo today confirmed a breach of its network, saying that not only Yahoo user names and passwords were stolen yesterday but also "other company users names and passwords." Yahoo said the data stolen is related to "an older file from Yahoo! Contributor Network (previously Associated Content)," the Web farm and multimedia content company it acquired two years ago for $100 million.

That Yahoo file of unspecified vintage contained about 400,000 Yahoo and other company users names and passwords that was dumped on the Internet included many associated with Google Gmail, Microsoft Hotmail, and AOL, Comcast and MSN accounts (see list below). Yahoo, which was not immediately available to discuss the
data breach, said in a statement that when it comes to the Yahoo accounts, "less than 5% of the Yahoo! Accounts had valid passwords."

---

reply to antdude
_____________________

Technology news websites including CNET, Ars Technica, and Mashable identified the hackers behind the attack as a little-known outfit calling itself the D33D Company. The group was quoted as saying it had stolen the unencrypted passwords using an SQL injection , the name given to a commonly used attack in which hackers use rogue commands to extract data from vulnerable websites.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call," the group was quoted as saying.

»www.philly.com/philly/business/2···rds.html

reply to antdude
The group that took the data has mirrored the list of accounts that were compromised here.
[Mirrors - Offical]
h ttp://74.208.161.170:81/yahoo-disclosure.tar.gz

reply to antdude
I wonder what percentage of all the Yahoo accounts (~500,000 of ~???) had passwords leaked?
--
Of course I can keep secrets. It's the people I tell them to that can't keep them.

reply to antdude
So, given the prevalence of the top 10 or top 100 (or whatever) passwords, shouldn't these as a matter of policy be "forbidden" passwords, with said list being updated on a regular basis? I understand that this might be a bit of a technical challenge, for various reasons.

reply to The Snowman

reply to antdude

reply to antdude
Does this affect people who only have a free Yahoo email account and have never used Voices?

reply to antdude