Yahoo has admitted that around 450,000 plain text user names and passwords were stolen by attackers identifying themselves as ‘D333Ds’
Yahoo’s statement –
‘We confirm that an older file from Yahoo! Contributor Network, previously Associated Content, containing approximately 450,000 Yahoo! and other company usernames and passwords was compromised yesterday, July 11,’
This reminds me of a conversation I had yesterday with a guy who was trying to tell me that open source software like Linux is so much safer than Microsoft. All I could say was “Any system is only as strong as who set it up, and who uses it.” This is a classic case of that.
Yahoo more than likely go to some extraordinary lengths to protect themselves from this kind of situation, however several years ago when setting up the contributor network, 1 or 2 people in a moment of madness decided to store passwords in plain text. I know this does not explain how they attacked got in or anything else related to this particular hack but its decisions like this that make it so much more embarrassing for the company responsible.
As for the 123 .gov and 235 .mil email addresses that were stolen, lets hope they had the common sense to not use the same password everywhere.
If you have a Yahoo account I recommend checking it on the Securi Malware Labs website – http://labs.sucuri.net/?yahooleak
And if you think thats the end well we are now just starting with “Phandroid” who claim to have stolen over a million user names and passwords from the Android forums. unlike Yahoo though, there are no plain text passwords included in the leak.