Yahoo has been the victim of a security violation that bore hundreds of thousands of login credentials stored in plain text (no encryption) .
The hacked data, posted to the hacker site D33D Company, contained more than 453,000 login credentials and appears to have originated from the Web pioneer’s network. Those responsible said they used a union-based SQL injection technique to penetrate the Yahoo subdomain, intended the data dump to be a “wake-up call.”
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the hackers said in a comment at the bottom of the data. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
The compromised sub domain appears to belong to Yahoo Voices, according to a TrustedSec report. Hackers apparently forgot to remove the host name from the data. That host name — dbb1.ac.bf1.yahoo.com — appears to be associated with the Yahoo Voices platform, which was formerly known as Associated Content.
Yahoo has reported that it is looking into the matter. “We are currently investigating the claims of a compromise of Yahoo! user IDs,” the site said in a statement, according to the BBC. The company also told the BBC that it was unsure exactly what was penetrated and what parts of the network was affected, after first having said the problem originated at Yahoo Voice.
Statistics of the leak: http://pastebin.com/2D6bHGTa
