A hacker group calling itself D33DS posted online a massive trove of data it said was unencrypted in a file pilfered from the Sunnyvale, California-based internet pioneer “as a wake-up call not as a threat”.
Yahoo confirmed that a file from its Contributor Network (formerly Associated Content) containing about 450,000 Yahoo and other company users names and passwords was compromised on Wednesday.
Security researchers who sifted through the posted data determined that it included information about accounts at other online services, including Google’s web-based Gmail, AOL and Microsoft’s Live.com.
“We apologise to all affected users,” Yahoo! said in a prepared statement.
“We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users accounts may have been compromised.”
Less than five per cent of the Yahoo account data stolen had valid passwords, the company contended.
The group D33D Company was reported as having used SQL injection to compromise the Yahoo database. The technique refers to insertion of rogue computer code into a SQL database via the exploitation of a website vulnerability.
Affected accounts were reportedly linked to an internet telephone service called Yahoo! Voices, related to the company’s instant messaging feature.
“The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000-plus usernames and passwords are now public,” internet security firm TrustedSec said in a blog post.
The hack came a month after a disturbing rash of security breaches in which members’ passwords were stolen from career-oriented social network LinkedIn as well as US dating website eHarmony and British-based music site Lastfm.com.