The hacked data, posted to the hacker site D33D Company, contained more than 453,000 login credentials and appears to have originated from the Web pioneer's network. The hackers, who said they used a union-based SQL injection technique to penetrate the Yahoo subdomain, intended the data dump to be a "wake-up call."
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," the hackers said in a comment at the bottom of the data. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."
The hacked subdomain appears to belong to Yahoo Voices, according to a TrustedSec report. Hackers apparently neglected to remove the host name from the data. That host name -- dbb1.ac.bf1.yahoo.com -- appears to be associated with the Yahoo Voices platform, which was formerly known as Associated Content.
CNET has contacted Yahoo for comment independently and will update this report when we learn more.
Because the data is quite sensitive and displayed in plain text, CNET has elected not to link to the page, although it is not hard to find. However, the page size is very large and takes a while to load.
The disclosure comes at a time of heightened awareness over password security. Recent high-profile password thefts at LinkedIn, eHarmony, and Last.fm contributed to approximately 8 million passwords posted in two separate lists to hacker sites in early June. Yesterday, Formspring announced it had disabled the passwords of its entire user base after discovering about 420,000 hashed passwords that appeared to come from the question-and-answer site were posted to a security forum.
Update July 12 at 6:35 a.m. PT: Added confirmation of Yahoo investigating the matter.
Steven Musil
No comments:
Post a Comment