Yahoo! Voice hacked, 400k accounts breached

Hackers broke into Yahoo's Voice website and posted what appeared to be data from some 400,000 accounts, an information security site said Thursday.

 

A blog post on TrustedSec.com said that while there has been no confirmation as of Thursday afternoon, the affected website was named as a subdomain of Yahoo.com.

 

"The passwords contained a wide variety of email addresses including those from yahoo.com, gmail.com, aol.com and much more. The affected website was only named as a subdomain of yahoo.com; however digging through and searching for the hostname, the attacker forgot to remove the hostname 'dbb1.ac.bf1.yahoo.com' (and) it appears that the compromised server was likely 'Yahoo! Voice' which was formally known as Associated Content," it said.

 

But it said the "alarming" part was that the passwords were stored "completely unencrypted," and all the 400,000-plus usernames and passwords are now public.

 

TrustedSec said the method for the compromise was apparently an SQL Injection attack to extract the sensitive information from the database.

 

While TrustedSec provided a link to the site where the supposed compromised data was posted, the site was inaccessible as of 4 p.m. Thursday, Manila time.

 

It added there has been no official confirmation from Yahoo or any other sources.

 

A separate article on CNET said the hackers claimed the data dump was intended to be a "wake-up call."

 

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," it quoted the hackers as saying.

 

"There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage," they added.

 

CNET said the disclosure comes at a time of heightened awareness over password security. — TJD, GMA News