Yahoo fixes password-pilfering bug, explains who's at risk

Security experts continue to hammer Yahoo for storing usernames and passwords in plain text

Yahoo today said it has fixed the flaw that allowed hackers to steal more than 450,000 passwords from one of its many services.

The company also provided more information about whose passwords had been pilfered.

"We fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users," the company announced in a post to its blog early Friday.

Yahoo has offered no specific information about the attack, how it was carried out or even when. It confirmed the attack Thursday.

The hacker group D33Ds Company took responsibility for the breach, saying it had exploited a basic SQL injection vulnerability in a Yahoo service to steal the usernames and passwords associated with 453,000 accounts. The group published the passwords and email addresses on the Web.

Yahoo also confirmed that the stolen account credentials belonged to registered users of its Yahoo Contributor Network, which was previously known as Associated Content.

Yahoo Contributor Network is a platform that generates high-volume, low-cost content by letting writers photographers, and others share their work with Yahoo members and earn money based on the traffic their content generates. Users who contribute to the network are required to sign in using a Yahoo, Google or Facebook ID.

Associated Content, which was founded in 2005, was bought by Yahoo for just over $100 million in May 2010. Yahoo renamed the service in late 2011, when it also launched Yahoo Voices, a portal where users access content posted by the Yahoo Contributor Network.

According to Yahoo, only people who registered as providers with Associated Content before the 2010 acquisition were affected by the password theft. "[The] compromised file was a standalone file that was not used to grant access to Yahoo! systems and services," Yahoo maintained.

Just under a third of the stolen passwords were linked to accounts registered to a email address, security company Rapid7 said Thursday. Significant chunks of the file, however, were composed of Gmail (23.6% of all accounts) and Hotmail (12.2%) addresses.

All users with older Associated Content accounts, no matter the email address used, should immediately change the passwords for those email accounts as well as any identical or similar passwords used to secure other online services or websites, security experts have said.

Rapid7 security researcher Marcus Carey said yesterday that the file published by D33Ds included 123 government email accounts -- ones ending with ".gov" -- and 235 military-related addresses (ending with ".mil"). Among the government email accounts, Carey found several associated with the FBI, the Transportation Security Administration (TSA) and the Department of Homeland Security (DHS).

Security experts have been scathing in their criticism of Yahoo, in large part because the passwords were stored in plain-text, making the hackers' job of exploiting the stolen accounts a breeze.

Yesterday, Mark Bower, a data protection expert and executive at Voltage Security, said, "It's utter negligence to store passwords in the clear."

Also on Thursday, Rob Rachwald, director of security strategy at Imperva, took Yahoo to the woodshed. "To add insult to injury, the passwords were stored in clear text and not hashed (encoded)," Rachwald wrote in a blog post. "One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide."

The LinkedIn breach Rachwald referenced came to light last month, and involved approximately 6.5 million encrypted passwords belonging to members of the networking service.

In its Friday blog, Yahoo again apologized to users affected by the password theft.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts