X

Hackers reveal over 400,000 Yahoo passwords

Over 400,000 passwords from the Yahoo Voice domain have been compromised in an attack.

Lexy Savvides Principal Video Producer
Lexy is an on-air presenter and award-winning producer who covers consumer tech, including the latest smartphones, wearables and emerging trends like assistive robotics. She's won two Gold Telly Awards for her video series Beta Test. Prior to her career at CNET, she was a magazine editor, radio announcer and DJ. Lexy is based in San Francisco.
Expertise Wearables, smartwatches, mobile phones, photography, health tech, assistive robotics Credentials
  • Webby Award honoree, 2x Gold Telly Award winner
See full bio
Lexy Savvides
2 min read

Update Over 400,000 passwords from the Yahoo Voice domain have been compromised in an attack.

(Credit: Yahoo)

According to TrustedSec, passwords have been compromised from the Yahoo Voice domain by using an SQL injection attack to obtain the data. It's not just exclusively Yahoo email addresses in the list; there are also several other domains, including Gmail, AOL and Hotmail, which have been used to access Yahoo's services.

Yahoo users may want to consider changing their passwords after the vulnerability was discovered. Most concerning is that the passwords were stored in plain text. The data appeared on hacker site D33D Company, along with a statement from the group:

We hope that the parties responsible for managing the security of this sub-domain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in web servers belonging to Yahoo Inc that have caused far greater damage than our disclosure. Please do not take them lightly. The sub-domain and vulnerable parameters have not been posted, to avoid further damage.

Yahoo has since issued a statement confirming the breach:

At Yahoo, we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo and other company users' names and passwords was compromised yesterday, July 11. Of these, less than 5 per cent of the Yahoo accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users' accounts may have been compromised. We apologise to all affected users. We encourage users to change their passwords on a regular basis and also familiarise themselves with our online safety tips at security.yahoo.com.

You can check whether your email address and password for Yahoo was compromised at Securi Labs' site. CNET has compiled a list of the top domains and passwords compromised in the attack:

Domains:

  1. Yahoo.com (137,559)

  2. Gmail.com (106,873)

  3. Hotmail.com (55,148)

  4. Aol.com (25,521)

  5. Comcast.net (8536)

  6. Msn.com (6395)

  7. Sbcglobal.net (5193)

  8. Live.com (4313)

  9. Verizon.net (3029)

  10. Bellsouth.net (2847)

  11. Cox.net (2260)

  12. Yahoo.co.in (2133)

  13. Ymail.com (2077)

  14. Hotmail.co.uk (2028)

  15. Earthlink.net (1943)

  16. Yahoo.co.uk (1828)

  17. Aim.com (1611)

  18. Charter.net (1436)

  19. Att.net (1372)

  20. Mac.com (1146)

Passwords:

  1. 123456 (1667)

  2. password (780)

  3. welcome (437)

  4. ninja (333)

  5. abc123 (250)

  6. 123456789 (222)

  7. 12345678 (208)

  8. sunshine (205)

  9. princess (202)

  10. qwerty (172)

  11. writer (164)

  12. monkey (162)

  13. freedom (161)

  14. michael (160)

  15. 111111 (160)

  16. iloveyou (140)

  17. password1 (139)

  18. shadow (134)

  19. baseball (133)

  20. tigger (132)

Updated at 9.14am: added confirmation from Yahoo and list of passwords and domains affected.

Services and Software Guides

VPN
Cybersecurity
Streaming Services
Web Hosting & Websites
Other Services & Software
Services and Software Coupons