More than 450,000 usernames and unencrypted passwords appear to have been stolen from Yahoo Voice, a user-contribution services on Yahoo’s network, and posted online, reports Guardian.
A an 18-megabyte file titled “Owned and Exposed” which is “brought to you by the D33Ds Company” was posted online revealing a number of details for the service including all of the email addresses and passwords for Yahoo Voices’ 450,000 users.
According to Mashable, at the end of the document the group remarks that it posted the information to be a “Wake-up call” rather than a threat.
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the document says. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure.
“Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
Yahoo Voices is the new name Yahoo gave to Associated Content, a site it bought in 2010 for $100 million.
Yahoo Voices pays freelance writers for articles on a variety of topics; they get paid both upfront and based on the traffic articles draw, writes Business Insider.
It’s not yet clear if any financial information was exposed in the hack.
The group also included a quote from Jean Vanier in its closing remarks: “Growth begins when we begin to accept our own weakness.”
Yahoo’s apparent security blunder comes just over a month after LinkedIn confirmed that member passwords had been compromised. According to The Verge, over 6 million hashed passwords were leaked from LinkedIn’s servers and the company urged members to change credentials as a result.
Similar attacks have been reported separately against other online services, including Android Forums and Formspring. Users are being encouraged to change their passwords immediately, and to check whether they used the same password on other services.
However, it is not known whether the attacks are linked. Both Formspring and Android Forums encrypted the passwords that they stored, although that is not a guarantee that they cannot be cracked.
The Yahoo attack is potentially the most serious. Yahoo claims to have more than 600,000 contributors – which would include many of the data dump if it is verified.
Security experts say that the most worrying aspect of the attack was that the passwords for the accounts were not encrypted, which means that any hacker could scoop up the emails and immediately start using them against other services, including Yahoo Mail.
The site hosting the information is currently down; however, Mashable was able to open the document and verify that it does in fact contain user emails and password data.