The security firm said that the passwords and usernames appeared to be stored without encryption in plain text. That means anyone can use the information.
Yahoo said that of hundreds of thousands of accounts that were breached, fewer than 5 percent had valid passwords.
“We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised,” Yahoo said in a statement.
Yahoo’s consumer public relations chief for the United Kingdom, Caroline MacLeod-Smith, told the Associated Press that she couldn’t provide more details about the breach that the company is investigating, including the size of the attack.
CNet reported that the hacking group said it wanted to give a “wake-up call” to Yahoo to boost its security measures and to individual users to strengthen their passwords.
According to the report, one of the most common passwords was “123456.” Other popular passwords included “111111” and “000000.”
VentureBeat’s John Koetsier wrote that he believes the file may be an old backup of the service, explaining that he tried two of the username and password combinations posted by the hacking group and found that neither worked.
“My guess right now, although it’s early in the investigation, is that the 435,000 accounts are pre-Yahoo,” he wrote, saying that they may be from Associated Content’s databases before Yahoo bought the company in 2010.
Still, as Koetsier notes, many people use the same usernames and passwords for multiple accounts, and it isn’t a far jump for hackers to search other sites where they think the same passwords might work.
If you have ever contributed or signed up to contribute to Yahoo Voices or Associated Content, it’s well worth changing that password — and changing your passwords and usernames for any other account with the same log-in information.
As password hacking becomes more and more common, members of Congress are pushing for data protection legislation that would set guidelines for security for customers’ personal information.
LinkedIn, eHarmony deal with breach aftermath
LinkedIn, eHarmony, Last.fm hacks highlight bad passwords
Facebook, Yahoo settle patent suit