Yahoo Password Breach Is Worse Than Originally Thought

    July 12, 2012
    Zach Walton
    Comments are off for this post.

We brought you news this morning that Yahoo Voices was hacked and over 450,000 usernames and passwords were leaked onto the Internet. The initial report stated that most of passwords came from Yahoo or Gmail email addresses. After analyzing the dump, a security company have found it to be worse than initially thought.

Security company Rapid7 provided a break down of all the email addresses that were part of the Yahoo breach. Here’s the full list with the number of addresses for each service:

137,559 occurrences at yahoo.com
106,873 occurrences at gmail.com
55,148, occurrences at hotmail.com
25,521 occurrences at aol.com
8,536 occurrences at comcast.net
6,395 occurrences at Microsoft msn.com
5,193 occurrences at sbcglobal.net
4,313 occurrences at live.com
3,029 occurrences at verizon.net
2,847 occurrences at bellsouth.net

While the majority of leaked addresses come from major email services, people from almost every major email provider were affected. The group who performed the hack, D33D, realizes that an attack on Yahoo affects the Web at large and performed this breach as a warning of sorts. They suggest Yahoo beef up its security before somebody else attacks the company’s servers for real.

We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.

In a statement earlier today, Yahoo said that they “take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.” If that’s the case Yahoo, then why were these passwords not encrypted and stored in plain text? Hopefully they will take this as the “wake-up call” that D33D intended as and improve their security across the site.

As an aside, I did a very quick run through of the leaked passwords to see if my Yahoo account had been compromised. Thankfully, it was not, but I did come across some comedic gold. One user had the password of LuckyBooger. Whoever you are, sir, I must commend you on that choice of password. I must ask – what makes it so lucky?

[h/t: Boston Business Journal] [Image Credit]

  • Ben

    To check if your account was affected go here:


    • wildrose

      Thank you, Ben. How much can I trust this information based on my post (above?) I’m borderline paranoid.

  • Lawrence Wilson

    I think this is a really bad situation on all sides. On one hand, it may serve as a wake-up call for online security in general. But if history is any kind of teacher, it would teach us that people either don’t learn from these kinds of things, or they take away the wrong message. Instead of actually learning from this incident, Yahoo will most likely give into its corporate rage of being caught with its pants down and take swift and vicious action towards the perpetrators–but will not actually fix the problem. And as for the perpetrators…They’re no saints, either. Despite their claims of doing a public service, THEY STILL BROKE THE LAW!

  • wildrose

    Right now, I don’t trust Yahoo in their ability to safeguard passwords stored in their database. Although I keep changing mine (p/w), weird stuff keeps happening.

    For instance I’ll receive an email from various people from my contact list, but when I open it there is only a “link” that leads me directly to advertisements for things like Viagra, diet drugs, etc. My friends didn’t and wouldn’t send them. It makes me feel violated!

  • http://www.hd100.in Darshan

    How one can find that it is a legitimate site? e.g. http://www.shouldichangemypassword.com

  • http://dazzlepod.com/yahoo/ disclosure

    Searchable list available at http://dazzlepod.com/yahoo/ – use your partial email to check..

  • http://hyes mmmdhe