Reports are coming in that hackers have managed to hack into a Yahoo service and steal sensitive data of more than 453000 of its customers. According to a security firm, Trustedsec, who first reported the incident, the service that was compromised was Yahoo Voice.
The affected website was only named as a subdomain of yahoo.com however digging through and searching for the hostname, the attacker forgot to remove the hostname “dbb1.ac.bf1.yahoo.com” (credit to Mubix for the hostname find). Looking through a variety of sources, it appears that the compromised server was likely “Yahoo! Voice” which was formally known as Associated Content (credit to Adam Caudill for the linkage).
The hackers have posted the database containing the email ids and passwords as a proof. According to the dump, the hackers used a method called union based SQL injection to hack the database. It is a method, where one enter codes to improperly protected text boxes which treat them as commands.
The most scary part, according to TrustedSec, is that the passwords were stored as plain text without any kind of encryption. If this was indeed the case, it would have been a highly irresponsible action on Yahoo’s part.
The hackers posted the following statement along with the dump,
We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.
If you are a Yahoo Voice customer, I recommend you change your password immediately and if you are using the same passwords for any other service (which is a bad practice), it is better to change that as well.