Report: Half a Million Yahoo User Accounts Exposed in Breach

Photo: Schill/Flickr

Hackers have published half a million login credentials for what appear to be Yahoo Voices user accounts that were stolen from a server.

More than 453,000 login credentials were posted by a hacking group calling itself D33Ds Company, who say the credentials were stored in plaintext, an amateur security blunder. The hackers said, in a note posted online, that they used a SQL injection attack to grab the credentials, but did not say from which Yahoo service they were taken “to avoid further damage.”

But based on a domain hostname that the hackers left in the data (dbb1.ac.bf1.yahoo.com) they posted, researchers have concluded that the credentials appear to have been stolen from Yahoo Voices, a user-generated content service and blogging platform that was formerly part of Associated Content. Yahoo Voices claims on its website that it has “more than 600,000 contributors and growing.”

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the hackers wrote in a note accompanying their disclosure. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”

The page where the hackers originally published the credentials is not currently available, but the credentials have also been posted in a searchable format at Dazzlepod.com, with the passwords redacted. Users who find their credentials on the list can send an email to Dazzlepod requesting that their credentials be removed from the online list. A spokesperson at Dazzlepod, which published the credentials early Thursday morning, says their site has received more than 120 removal requests from account holders so far.

Yahoo said in a statement that it is investigating the breach claim. The breach is the latest in a rash of credential breaches that have occurred in the last few months involving unsecured servers and unencrypted credentials. LinkedIn, eHarmony and Last.fm have all been victims of similar breaches lately.

The attacks highlight the danger of re-using passwords at different websites, as hackers can mine the data and attempt to use the same credentials with more sensitive accounts that users may have, such as online banking and e-mail accounts.