Yahoo password theft could affect Gmail, Hotmail, AOL users, researcher says

Yahoo password theft could affect Gmail, Hotmail, AOL users, researcher says

By Nicole Perlroth
New York Times
07/12/2012
SAN FRANCISCO -- Yahoo (YHOO) confirmed Thursday that about 400,000 user names and passwords to Yahoo and other companies were stolen Wednesday.
A group of hackers, known as the D33D Co., posted online the user names and passwords for what appeared to be 453,492 accounts belonging to Yahoo and several other websites. The hackers wrote a brief footnote to the data dump, which has since been taken offline: "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat."

The breach comes just one  month after millions of user passwords for LinkedIn, the online social network for professionals, were exposed by hackers who breached its systems. The breaches highlight the ease with which hackers are able to infiltrate systems, even at some of the most widely used and sophisticated technology companies.
Security researchers at Rapid7, a security company, analyzed the dumped account information and found that it included account information not just for Yahoo users but for Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users. Marcus Carey, a researcher at Rapid7, found that among the data were some 106,000 Gmail accounts, 55,000 Hotmail accounts and 25,000 AOL accounts.
Dana Lengkeek, a spokeswoman for Yahoo, said that the compromised accounts belonged to Yahoo's Contributor Network, previously Associated Content, and that fewer than 5 percent of the passwords posted were still valid.
The hackers claimed to have stolen the passwords using a hacking technique called an SQL injection, which exploits a software vulnerability.
"We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying companies whose
user accounts may have been compromised," Lengkeek said in the statement. "We apologize to affected users. We encourage users to change their passwords on a regular basis."
Carey said it was unclear whether Yahoo's breach had been contained and noted that hackers could still be inside its systems.
Computer security experts recommended that Yahoo users also consider changing their passwords to other sites for which they might have used the same password, as hackers tend to test those passwords across multiple sites.
The top five passwords in the stolen batch were "123456," "password," "welcome," "ninja" and "abc123," said David Harley, senior research fellow at security firm ESET.