Yahoo Patches Vulnerability that Led to 450,000-Password Breach

Yahoo announced today it’s fixed the security hole that allowed a hacker group this week to post some 450,000 email addresses and passwords belonging to freelance writers.

Yahoo announced today it’s fixed the security hole that allowed a hacker group this week to post some 450,000 email addresses and passwords belonging to freelance writers.

“We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users,” the company said in a blog post. “In addition, we will continue to take significant measures to protect our users and their data.”

The addresses and passwords apparently belonged to amateur and professional journalists who’d signed up as contributors to Associated Content before May 2010. Yahoo bought the online publisher the same month and changed the name to the Yahoo Contributor Network. Those whose login data was compromised will be asked to answer a series of challenge questions the next time they try to log in to validate and change account details.

“At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products,” the company said. “We sincerely apologize to all affected users.”

Earlier this week the hacker group D33D (or D33Ds) Company reportedly used a union-based SQL injection to penetrate the Yahoo subdomain and steal the plain-text passwords, some of which were alarmingly simple codes. For instance a little more than 2,500 people used “123456” or “password.”

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the group said in a comment at the bottom of the data, according to CNET. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”

Other email providers who were impacted by the breach include Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.