Yahoo! Voice compromised, over 450,000 passwords stolen

While you may not have been surprised that a pornography site like YouPorn stored its data in cleartext, you’d probably expect more from a company like Yahoo!. Apparently that trust would be misguided, as TrustedSec is reporting that over 400,000 Yahoo! Voice accounts have been compromised in a recent attack; the exact number is currently 453,492.

There are few details at this point, but according to the data the attackers dumped, the attack was carried out via a SQL injection attack. This means that the website was not doing proper input validation, allowing the attackers to put their own SQL commands into a text field on the website, and that code was then passed on directly to the database. This type of attack has been on the decline over the past five years but is still a dangerous threat. In addition to the SQL injection vulnerability, the database was also storing the passwords in cleartext.

The list of usernames and passwords have already been posted to the Internet, although the website is extremely slow due to heavy loads. You may want to check whether you were impacted by the attack or not.

The attackers call themselves “D33Ds Company” and Yahoo! has not made an official statement about the breach. In typical “hactavist” fashion, the group claims they’re doing it to help people out and even include a quote from Jean Vanier, stating, “Growth begins when we accept our own weakness.”

Is this more proof that we are passed the age of passwords and need to rely on more secure methods?

Source: TrustedSec

Report a problem with article
Previous Story

Steam on TV with Big Picture Mode

Next Story

Windows 8 Metro app design tips offered by Microsoft

24 Comments

Commenting is disabled on this article.

Personally I use Roboform to manage my passwords but always keep a database backup at hand. Having to sync would mean my database password collection goes on there servers in which if they get hacked... well you see my point. Best to keep the important stuff where you can hold them.

ashmedai said,
Is Lastpass secure secure ? I have been using it for some time but... hmm need to get it back to work.

Yep, I use it all the time. Very useful.

I don't get it, for years in all the PHP stuff I do I've been doing everything secure, yet I don't see a single website in the world doing the same, is it a requirement when getting a job to be completely inept of security or what!?

I have to say though the funniest security on a site I've ever seen is faceparty, they rant about how they work with the UK government to make it secure and with thawrte yet all passwords are stored in plaintext, they can be emailed out to you, and there's not even SSL!

xendrome said,
I've never even heard of Yahoo Voice....

Was just about to say this is another case of "didn't hear about them until now"...

Lucky I didn't I guess

GS:mac

trumphil said,
https://d33ds.co/ is already down. Darn, how can i trust any company, if even yahoo, sony and so on, being compromised?

You cant, that's become very clear over the last year or so. Sony, Linked In, Yahoo, Last FM... i've lost count to be honest.

Best thing to do is use a password management system and have a unique password for every website you use.

InsaneNutter said,

You cant, that's become very clear over the last year or so. Sony, Linked In, Yahoo, Last FM... i've lost count to be honest.

Best thing to do is use a password management system and have a unique password for every website you use.


Looks like i will have to get some system for myself too:(

InsaneNutter said,
Stuff like Lastpass is supposed to be good, and free.

LastPass is good. It supports all major browsers free, plus you can pay $12 a year for phone sync as well.

LaserWraith said,

LastPass is good. It supports all major browsers free, plus you can pay $12 a year for phone sync as well.


Subscriptions... eurgh... >_<

GS:mac