At least 400,000 email addresses and passwords of Yahoo Voices’ users, people authorized to post content on Yahoo, were stolen and revealed by hackers, Yahoo confirmed today.
“We confirm that an older file from Yahoo Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo and other company users names and passwords was stolen yesterday, July 11,” Yahoo said in a statement.
The hackers, who called themselves the D33Ds company, posted a full text document online containing the usernames and passwords, and said that it should be a “wake-up call” rather than a threat to Yahoo.
“There have been many security holes exploited in webservers belonging to Yahoo Inc. that have caused far greater damage than our disclosure,” they wrote.
Yahoo said it is “fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users’ accounts may have been compromised.”
It said only five percent of the username-password combinations revealed were still valid or current.
However, it wasn’t just Yahoo email addresses in the document. Some of the Yahoo Voices’ accounts listed email addresses with AOL, Gmail, Hotmail and Windows Live.
Security firm Sucuri said that more than 100,000 Gmail addresses were included in the breach. The same firm created a script based on the leak that allows users to see if their account or password was among the ones leaked. You can go to http://labs.sucuri.net/?yahooleak and see if yours was one of them.
The Yahoo hack comes no less than a month after LinkedIn’s breach.
Robert Siciliano, an online security expert with McAfee, said such breaches aren’t likely to slow down. While they may cause sites and services to beef up their security infrastructure, he said, hackers like to “one up each other.”
“This is fun for criminal hackers,” Siciliano told ABC News. “They enjoy this. This is what they do. I like to play with my kids. They [hackers] like to hack networks.”
Siciliano has a list of tips to avoid falling victim located here. Above all, he said: “Never have the same password for two accounts.”