A list of over 450,000 email addresses and plain-text passwords, in a document marked "Owned and Exposed" apparently from users of a Yahoo! service, is in circulation on the internet.
The affected accounts appeared to belong to a voice-over-Internet-protocol, or VOIP, service called Yahoo Voices, which runs on Yahoo's instant messenger. The Voices service is powered by Jajah, a VOIP platform that was bought by Telefonica Europe BV in 2010.
The dump, posted on a public website by a hacking collective known as D33Ds Company, said it penetrated the Yahoo subdomain using what's known as a union-based SQL injection. By injecting powerful database commands into them, attackers can trick back-end servers into dumping huge amounts of sensitive information.
Since all the accounts are in plain-text, anyone with an account present in the leak which also has the same password on other sites (e-mail, Facebook, Twitter, etc), should assume that someone has accessed their account.
In a statement in which Yahoo apologizes for the attack, Yahoo tells that the data came from an older file from the Yahoo! Contributor Network (which it picked up via its Associated Content acquisition). But it also noted that less than five percent of the emails had valid passwords, and that it is now working to fix the vulnerability that led to the disclosure.
At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday,July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.
If you use Yahoo Voices, you should probably change your password now.Don't forget to make sure that your password is unique, hard to guess, and that you use a different password on every website you use. If you use the same password in multiple places you are just asking for trouble.