If the news that the Yahoo! Contributor Network user-generated content site has been breached and more than 450,000 usernames and passwords compromised as a result wasn't bad enough, look behind yesterdays headlines and the situation is revealed to be much, much worse. If you were one of those folk who signed into the Yahoo! Contributor Network with your Gmail or Hotmail credentials, then those accounts are also obviously now compromised.

dweb-yahoohack

The D33Ds Co hacker collective has published a file containing all the login data from the breach, which appears to have been as simple as the most basic of SQL injection exploits. No, seriously: Yahoo! (one of the biggest Internet brands on the planet) appears to have fallen victim to one of the easiest of all security vulnerabilities to defend against.

If that wasn't bad enough, the login data of paired usernames and passwords also appear to have not been encrypted and just sat there on the database in plain text format. At least the LinkedIn breached passwords were hashed, if not salted, whereas Yahoo! apparently couldn't even be bothered with basic encryption of any kind.

It's not even that Yahoo! can blame the Associated Content site that it acquired for $100 million and turned into the Yahoo! Contributor Network for the lax security measures. That acquisition was two years ago now, plenty of time for Yahoo! to have sewn it up tight. The statement from Yahoo! that "we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products" really doesn't seem to quite gel with this particular episode I'm sorry to say.

Yahoo! itself claims that no more than 5% of the published logins are current, but even if those claims are correct that would still leave 22,500 folk at risk. And anyway, this breach goes beyond just being a case of 'your breach was bigger than mine' as any breach of any size is a security lapse too far. Plus, of course, as I've hinted at already the breach also puts other system logins at risk. A quick analysis of the hacked file would seem to suggest more than 100,000 Gmail accounts are included, and more than 50,000 Hotmail accounts.

The usual advice applies: if you have ever used the Yahoo! Contributor Network service, or the Associated Content site before it, change your password. If you have ever logged in with your Gmail or Hotmail accounts, then change those as well. And do it now.

Rob Rachwald, Director of Security Strategy at Imperva, says "Sadly, this breach highlights how enterprises continue to neglect basic security practices. One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide".

You can check if your email address appears on the list of hacked accounts using this tool.

194 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

It's really no surprise considering that Yahoo Messenger is as bugged and easy to hack. And they wonder why they are going down...

security breach is one of the most sought after question on our online world. this is a shame for google.

Yahoo must focus in tightening their security now so that they can win over their users.

So basically with all the leaked private information, logins, passwords, etc, do we still need cloud? Maybe a law should be created to compensate the users(victims), in case of data breach. Simple sorry is not enough for me as it is starting to be a mayor problem and companies are not learning from mistakes of other companies until it is too late for them. But they are doing the opposite, hiding the leak, saying it is unimportant or throwing the problem on other 3rd party companies.

Yahoo must focus in tightening their security now so that they can win over their users.