December 7, 2016

Yahoo! fixes security holes which let hackers in but password list still available online

(LiveHacking.Com) – Yahoo has fixed the flaws in its Yahoo! Contributor Network  that allowed hackers to steal details for over 450,000 accounts and publish them online. According to a post, published on Yahoo’s corporate blog, Yahoo confirmed that the stolen data was in a  standalone file that contained approximately 450,000 email addresses and passwords belonging to writiers who had joined Associated Content prior to May 2010, when it was acquired by Yahoo!.

“We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users.  In addition, we will continue to take significant measures to protect our users and their data,” wrote Yahoo.

The hack was performed by a group going by the name of ‘d33ds’. The hackers got the details from the Yahoo.com subdomain dbb1.ac.bf1.yahoo.com using, it is thought, a SQL injection. The passwords extracted were in clear text. The details were posted, for a short time,  on the the groups’ website, however due to the massive traffic generated the servers went offline. The group has now moved the archive to other 3rd party servers and the file is still available.

An analysis of the credentials showed that the most common passwords were: 123456, password, welcome, ninja, abc123, 123456789, 12345678 , sunshine, princess and qwerty.

For users who joined the then Associated Content before May 2010 and used a Yahoo! email address, Yahoo! is recommending that they log in and answer the series of authentication questions to change their password.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks