Yahoo! confirms reports that 400,000 email accounts were hacked last Wednesday (11 July), but downplays the news by saying roughly 20,000 (5%) accounts had valid passwords. Some reports indicate a group known as the D33D Company got the unencrypted files from Yahoo! servers by using SQL injection to extract the accounts and passwords. Yahoo released a statement confirming the breach, but did not indicate when or how soon they can fix the problem.
At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday,July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.
Sucuri Labs offers a quick check for users who want to find out if their accounts have been compromised. The boffins at Sucuri analysed the breach and found that 135,599 Yahoo! accounts, 106,185 Gmail, 54,393 Hotmail, 24,677 AOL and thousands others from various email sites have also been compromised. Sadly, the findings also revealed people are still using unsecure passwords such as “123456”, “password”, “welcome” and “abc123.”
The numbers may not stack up to the 6.5 million LinkedIn accounts hacked last month, but the worrisome aspect is that this hack attack churned out hundreds of thousands of accounts and passwords from a whole slew of email companies — just because their owners contributed to the Yahoo! network. One thing remains important however: Stop using easy-to-guess passwords, because it won’t take a hacker to access your emails and other private information.