Yahoo confirms theft of 450,000 unencrypted passwords

"Utter negligence'' says expert about latest online business black eye that included disclosure of .gov and .mil account info

Yahoo has confirmed that 450,000 unencrypted usernames and passwords were stolen on Wednesday from one of its services, although it downplayed the threat.

"We confirm that an older file from Yahoo! Contributor Network, previously Associated Content, containing approximately 450,000 Yahoo! and other company usernames and passwords was compromised yesterday, July 11," Yahoo said in a statement forwarded by a company spokeswoman Thursday.

"Of these, less than 5 per cent of the Yahoo! accounts had valid passwords," the company maintained. However, it did not say what percentage of the remaining accounts, which included over 100,000 Gmail addresses and more than 55,000 Hotmail addresses, included valid passwords.

Yahoo Contributor Network is a platform that lets writers, photographers, and others share content with Yahoo members and earn money based on the traffic it generates. Users who contribute to the network are required to sign in using a Yahoo, Google or Facebook ID.

Yesterday, a hacker group calling itself "the D33Ds Company" claimed to have hacked into a Yahoo database by exploiting an SQL injection vulnerability found on a Yahoo subdomain. The group published a list of 453,492 plain-text email addresses and passwords.

Based on a host name left in the published materials, speculation yesterday focused on Yahoo Voices as the most likely subdomain that was hacked. Yahoo Voices is the portal where uses access the content posted by the Yahoo Contributor Network.

Yahoo said it was "fixing the vulnerability that led to the disclosure of this data," but did not confirm that the bug had actually been quashed. The company was also changing the passwords of affected Yahoo members.

"We apologize to all affected users," said Yahoo.

Almost a third - 30.3 per cent - of the leaked email addresses were ones from, while 23.6% were Gmail addresses and 12.2% were Hotmail addresses, said security company Rapid7, which did a quick analysis of the data published on the Web Wednesday.,,,, and addresses rounded out the top 10.

Also included in the cache, said Marcus Carey, security researcher at Rapid7, were 123 government email accounts -- ones ending with ".gov" -- and 235 military-related addresses (ending with ".mil").

"Some of the government addresses were from various [U.S.] intelligence agencies, the FBI, TSA [Transportation Security Administration] and DHS [Department of Homeland Security]," said Carey. "Those, and of course, the .mil accounts, could be used for targeted attacks later."

Yahoo accounts made up less than a third of the 450,000 stolen from an online content-sharing service. (Data: Rapid7.)

Yahoo did not immediately respond to follow-up questions, including whether the leaked addresses and passwords were only from the pool of people who had registered with the Content Network to post their work on the site, or whether others, including those who may have accessed the content via the Voices portal, also needed to be concerned about the breach.

The Yahoo leak, which followed a much larger one last month that involved approximately 6.5 million encrypted passwords belonging to LinkedIn members, was another black eye for the online industry.

Several security researchers, including Carey, drew comparisons between the two. "Organizations and users still aren't taking security seriously enough," he said, referring to the constant barrage of credential breaches.

Carey, like Yahoo and scores of other security experts, urged Yahoo users to change their email accounts' passwords immediately, then follow that with changes to other site logins that rely on the same email address/username and password combination.

But Carey went further, noting that Yahoo may provide more information on the breach later, which could necessitate a second password reset if the leak has not been totally contained.

"You should still go ahead and change it straight away, but you may have to change it a second time if it turns out the attacks are still entrenched in Yahoo's systems," Carey said.

Carey recommended that people install and use a robust password manager that can create complex passwords automatically, then store them for instant retrieval on multiple devices.

"I use KeePass," said Carey, referring to a free open-source password manager for Windows. He also recommended LastPass for Windows, and said researchers at Rapid7 who worked on Macs relied on KeePass X and 1Password.

A password manager makes it easier to create and manage separate passwords for each website, online service or email account, thus limiting the damage if any one username/password combination leaks.

"There's always the potential of a [leaked] passwords also being used on, perhaps, a PayPal account," Carey said.

But the move toward aggregate credentials that access a slew of services provided by a single company -- like Gmail accounts and passwords being used for all Google's services, including Google Docs -- can make a password manager practice moot or nearly so.

"If someone has one account on one service, it lets them log in everywhere," said Carey, using Google as an example. "A lot of business processes store sensitive information on Docs. And because almost everything is Web-based now, 'in the cloud,' this is a problem that's only going to get worse."

Not surprisingly, Yahoo drew the ire of some experts.

"If what is stated is true, it's utter negligence to store passwords in the clear," said Mark Bower, a data protection expert at Voltage Security, in an email Thursday. "This breach just goes to show that even big companies aren't taking enough steps to protect critical data."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleetworkFacebookFBIGoogleHotmailMacsMicrosoftPayPalRapid7TopicTransportationYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts