Hackers post 450K credentials pilfered from Yahoo

Credentials posted in plain text appear to have originated from the Web company's Yahoo Voices platform. The hackers say they intended the data dump as a "wake-up call."

Steven Musil Night Editor / News

Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.

Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.

See full bio

Steven Musil

July 11, 2012 11:06 p.m. PT

2 min read

Yahoo has been the victim of a security breach that yielded hundreds of thousands of login credentials stored in plain text.

The hacked data, posted to the hacker site D33D Company, contained more than 453,000 login credentials and appears to have originated from the Web pioneer's network. The hackers, who said they used a union-based SQL injection technique to penetrate the Yahoo subdomain, intended the data dump to be a "wake-up call."

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," the hackers said in a comment at the bottom of the data. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

The hacked subdomain appears to belong to Yahoo Voices, according to a TrustedSec report. Hackers apparently neglected to remove the host name from the data. That host name -- dbb1.ac.bf1.yahoo.com -- appears to be associated with the Yahoo Voices platform, which was formerly known as Associated Content.

Yahoo confirmed that it is looking into the matter. "We are currently investigating the claims of a compromise of Yahoo! user IDs," it said in a statement, according to the BBC. The company also told the BBC that it was unclear which portion of its network was affected, after first having said the problem originated at Yahoo Voice.

CNET has contacted Yahoo for comment independently and will update this report when we learn more.

Because the data is quite sensitive and displayed in plain text, CNET has elected not to link to the page, although it is not hard to find. However, the page size is very large and takes a while to load.

The disclosure comes at a time of heightened awareness over password security. Recent high-profile password thefts at LinkedIn, eHarmony, and Last.fm contributed to approximately 8 million passwords posted in two separate lists to hacker sites in early June. Yesterday, Formspring announced it had disabled the passwords of its entire user base after discovering about 420,000 hashed passwords that appeared to come from the question-and-answer site were posted to a security forum.

Update July 12 at 6:35 a.m. PT: Added confirmation of Yahoo investigating the matter.