Hackers Expose More Than 450,000 Accounts Taken From Yahoo! Voices Service
D33ds Company, a group of hackers known for their “Owned & Exposed” posts online, released a massive database dump on Thursday morning, which they took from Yahoo. Configuration details released by the group ties the breach to Yahoo Voices. [Update: Yahoo! has now confirmed this breach, saying an old file had been accessed. Official statement from Yahoo! is included below.]
Along with posting the database schema, D33Ds Co. released 453,491 email addresses and plain text passwords that were allegedly stored on the server this way.
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” D33Ds Co. said in a statement alongside the leaked data.
“There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
However, as first mentioned on the TrustedSec blog, the leaked database records contained a hostname - dbb1.ac.bf1.yahoo.com, which ties back to Associated Content, now known as Yahoo Voices. Thus, the likely target in this attack was voices.yahoo.com. At the time this story was written, the domain was online boasting some 600,000 contributors.
According to DataLossDB.org, there were roughly 55,000 Hotmail accounts exposed, 106,000 GMail accounts, and 136,000 Yahoo addresses in the file. Additional stats from security vendor ESET shows 25,000 AOL accounts, 8,500 Comcast accounts, in addition to thousands of accounts for users on MSN, Live.com,Verizon, SBC, Cox, Charter, and AT&T.
Further, DataLossDB also told SecurityWeek that based on the data; there have been 911 data loss related incidents so far this year, exposing 207,615,994 records; or average of 227,899 records per incident. Hacking is responsible for 62% of those breaches, which targeted businesses 59% of the time.
Many media outlets have incorrectly reported that the breach occured on the "Yahoo! Voice" platform, but the correct service in question of the breach is "Yahoo! Voices" -- The two services are totally different.
Update: Yahoo! provided the following statement at 11:33AM ET:
At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday,July 11.
Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users.
Related News: Best Buy Warns Customers of Account Hacking Attempts