Yahoo released a brief statement acknowledging that hackers were able to breach its network systems in July 2012, stealing more than 500,000 user names and passwords, but did not offer much more information on what occurred. The stolen data was published on the web by a hacker group calling themselves D33D.
The cyber thieves posted the data dump on a hacker’s forum claiming to be doing a good deed in that they were merely seeking to get Yahoo to address its security issues. The message they posted with the data dump said,
We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.
Security experts in the field have heaped much criticism on Yahoo executives expressing that a major company of its size should have been securing its users information more robustly. Although Yahoo has not explained how the hackers breached their network systems a company spokeswoman, Dana Lengkeek said,
We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users’ accounts may have been compromised.
The email addresses, user names and passwords from the Yahoo breach included valid passwords for accounts at other sites and services such as AOL, Microsoft, Google, AT&T, Verizon, and Comcast Corp. This occurred when the hackers were able to gain access to Yahoo’s Contributor Network systems by illegally running a very basic attack called a SQL injection. To make matters worse it would appear as though the passwords were not encrypted, not the standard of protection you would expect from a company as widely used as Yahoo.
Another good security practice when it comes to which companies you share your personal info with is to find out whether they carry cyber security/intrusion insurance policies, its important to know that a company has the financial resources to act quickly and responsibly when it comes to a breach. This is important not only to minimize the damage a cyber intrusion can do, but also for any civil or criminal suits that may be brought as a result of negligence on the breached company’s part. How a company treats its customers after a breach occurs speaks volumes on whether you want to continue to do business with them in the future.
This is the statement Yahoo issued:
At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday,July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.
Additional Resources About This Breach: