If you use Yahoo Voices to create content for the Web, you really should change your password now. After things were looking up for Yahoo, it's a pretty big downer to know that one of your service has just been hit with a devastating attack.
Trusted Security broke the news that Yahoo Voice had been compromised with over 450,000 usernames and passwords stolen. It's a big deal whenever a major hack attack like this happens, but Yahoo's unpreparedness for such an event makes this a lot worse than it has to be.
It was found that Yahoo didn't encrypt the passwords which means that users security is immediately at risk if somebody starts to tool around with your password. The passwords stored in the database date back to 2006, so they may be old, but they link to a variety of email addresses beyond Yahoo mail accounts. If you use Yahoo Voices and have Gmail or AOL accounts, you should probably change your passwords across all your services.
The Yahoo Voices attack is the latest in a string of embarrassing password breaches that have affected various sites like LinkedIn and last.fm. While damage seems to be minimal so far, it's still worrying that Yahoo wouldn't take extra precautions with user details. We can at least be thankful that they're not as bad as Microsoft India as they stored user passwords in true text with no protection whatsoever.
Yahoo has not issued any kind of statement in regards to the attack yet, but they will probably be sending emails to affected parties shortly. They will probably just tell you to change your password and that will be that. It would be wise to change your password on any site where you use the same one. Hackers know which sites you frequent and they can gain easy access to your account if you use the same password across these sites. It's especially dangerous for e-banking accounts.[h/t: Guardian]
Yahoo just issued a statement to TechCrunch on the hack confirming that it did indeed happen. Here's the statement in full:
At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday,July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.
If you're in that five percent, you should change your password. If you're not, you should probably still change your password. Better safe than sorry.