We brought you news this morning that Yahoo Voices was hacked and over 450,000 usernames and passwords were leaked onto the Internet. The initial report stated that most of passwords came from Yahoo or Gmail email addresses. After analyzing the dump, a security company have found it to be worse than initially thought.
Security company Rapid7 provided a break down of all the email addresses that were part of the Yahoo breach. Here’s the full list with the number of addresses for each service:
137,559 occurrences at yahoo.com
106,873 occurrences at gmail.com
55,148, occurrences at hotmail.com
25,521 occurrences at aol.com
8,536 occurrences at comcast.net
6,395 occurrences at Microsoft msn.com
5,193 occurrences at sbcglobal.net
4,313 occurrences at live.com
3,029 occurrences at verizon.net
2,847 occurrences at bellsouth.net
While the majority of leaked addresses come from major email services, people from almost every major email provider were affected. The group who performed the hack, D33D, realizes that an attack on Yahoo affects the Web at large and performed this breach as a warning of sorts. They suggest Yahoo beef up its security before somebody else attacks the company’s servers for real.
We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.
In a statement earlier today, Yahoo said that they “take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.” If that’s the case Yahoo, then why were these passwords not encrypted and stored in plain text? Hopefully they will take this as the “wake-up call” that D33D intended as and improve their security across the site.
As an aside, I did a very quick run through of the leaked passwords to see if my Yahoo account had been compromised. Thankfully, it was not, but I did come across some comedic gold. One user had the password of LuckyBooger. Whoever you are, sir, I must commend you on that choice of password. I must ask – what makes it so lucky?
[h/t: Boston Business Journal]