Yahoo confirmed Thursday that it was hit by a hack that affected more than 450,000 accounts, saying that hackers had gotten hold of a file that contained older user names and passwords from its contributor network, Yahoo Voices, formerly Associated Content.
What’s clear from those who’ve actually seen the list of accounts taken, though, is that this particular attack has posted not only the e-mail addresses of Yahoo account holders who signed up for the company’s contributor network, but also a number of Gmail, Hotmail and other addresses.
That means that it’s even easier for hackers to ride a ripple effect off of the attack to other services and mine users’ address books for phishing attacks, especially if anyone used their Yahoo Voices account password for those accounts.
Phishing attacks can be particularly effective because the e-mails come from people the recipients know. That means everyone — regardless of whether they have a Yahoo account or not — should be on the lookout for a rise in suspicious e-mails, particularly if they link to Web sites with no context or just a line that says, “I thought this was really cool. You should check it out.”
As is always advisable with a hack of this kind, if you had a Yahoo Voices or Associated Content account, you should change your password and any account that has the same password immediately.
This is the not the first major data breach of the summer, but Yahoo is catching more criticism than LinkedIn, eHarmony, Last.fm or Formspring because the file that hackers at the D33D Company posted shows the credentials were posted in plain text.
“Sadly, this breach highlights how enterprises continue to neglect basic security practices,” researcher Rob Rachwald wrote on security firm Imperva’s blog. “To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide.”
Yahoo said Friday that it has acted quickly to patch the vulnerability in its systems and is letting affected users know that their accounts are open to breaches.
The company said that the file that was taken was an older file that predates Yahoo’s 2010 acquisition of Associated Content and that the file was a “standalone” that did not have connections to other parts of Yahoo’s systems.
The company said it has also beefed up its security measures for affected users and “enhanced our underlying security controls.”
Those whose accounts may have been compromised will be prompted to authenticate their accounts and change their passwords the next time they log in, the company said.