Sophos Cloud Optix
Yesterday, we reported on the Formspring website hack. Today, it’s Yahoo Voices that has been compromised.
Yahoo Voices, which defines itself as “where your expertise and perspectives take center stage!”, allows Yahoo users to post their own articles, videos and slideshows online.
This morning, hacker group D33DS Company, published the 453,491 email addresses and passwords online in plain text, in a document marked “Owned and Exposed”.
The hackers say they used a “Union-based SQL Injection” to steal the data and posted the information as a “wake-up call”
We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.
But even if this hacker group themselves aren’t planning to use the information for ill-gotten gains, the data is available for anyone to access.
The only silver lining on the cloud is that the website hosting the passwords is temperamental, and people are experiencing difficulties accessing the information. But maybe the access problems are being caused by so many people trying to access the stolen passwords at once?
Unfortunately, the list of compromised websites just seems to keep growing. In a little over a month, we’ve reported on breaches of Formspring, Last.fm, LinkedIn and eHarmony.
If you use Yahoo Voices, you should probably change your password now.
Don’t forget to make sure that your password is unique, hard to guess, and that you use a different password on every website you use. If you use the same password in multiple places you are just asking for trouble.
At the time of writing, there is no official word from Yahoo regarding the security breach.
There are certainly questions which need to be answered – such as how were the hackers able to gain access to the information, and what measures was the site taking to ensure that even if its databases were breached, the passwords would not be easy to convert into plain text.
If your company runs a website which stores users’ information, don’t feel too smug about Yahoo’s misfortune. Are you taking enough care of your visitors’ credentials and ensuring that they are properly secured?
Searchable list at http://dazzlepod.com/yahoo/
"…not as a threat."
…ah, I see. In the same sense as the old Monty Python routine wherein the "Crunchy Frog" confection used "…only the finest baby frogs…lightly killed…".
It's an old story: "Sacrifices must be made for the greater good"…or some such pantload. I wouldn't be surprised to see these D33DS jerks running for political office next.
It's coming from Facebook Users. They Hijack your account info then your email and all of the contacts info. Both Yahoo and Facebook are being moot about it and doing nothing. Be careful, because they get all of your profile info, banking info and sell it. Once they got you and your info they hold to you and keep coming back, they have your basic info school birthdate mothers maiden name etc…..
In my opinion, there are 2 reasons for all these hacks:
—companies unwilling to spend the $$$ on hardware/software to secure their websites; and,
—bluntly, so-called security “experts” at these firms who truly have no idea what they’re doing, and cover their stupidity by spewing technical mumbo-jumbo to their profoundly clueless superiors.
Is that assessment harsh? You bet. Accurate? I have first-hand heard some of the nonsense, but as soon as you call these idiots out, you’re labeled as a troublemaker & xenophobe.
In order to protect yourself from criminals, you MUST think like a criminal.
So, what are the odds on whether the passwords were being stored in plain-text then?
Looked at the "Fix it Tool" and it stated that the tool is 'disabled' or 'enabled', which is questionable. Do you 'enable' it to fix the problem, or are you enabling the 'problem'? Do you see what I mean?
IMHO…
The people at Yahoo are idiots. There were phishing e-mails going around immitating our company. Yahoo sent us an e-mail telling us to quit sending them…
it was not from yahoo, it was phishing 🙂
I am so upset with Yahoo that I posted what I have been through since my Gmail address was in the list of hacks.
http://cindycrerar.hubpages.com/hub/Yahoo-Voices-…
The3Dude is correct. Remember Slurp downloading full web sites, pushing some hosting systems to disable sites exceeding their bandwidth, and while most are not exceeding, some of the smaller family blogs, business card web sites, and such paid the penalty. Yahoo ignored the thousands of requests to smarten up.
When Yahoo, and others, send a email telling you to stop spamming, they ASSume you are guilty. Yahoo and others, are police, prosecutor, judge, jury, and there is no defense.
It's probably much easier to arrange for a one-on-one with the President, than it is to reach a human at Yahoo, and others, to correct a mistake they will claim was never made.
The question is, why were the passwords not encrypted at source?