Yahoo Voice Website Reportedly Hacked, Over 453,000 User Accounts And Passwords Allegedly Exposed

By Kukil Bora | July 12 2012 6:07 AM

After LinkedIn, it is now Yahoo that has reportedly fallen prey to a latest cyber attack, in which hackers of a hacking group named D33Ds Company claimed to have breached a Yahoo Voice server and posted over 453,000 user accounts and passwords, retrieved in plaintext.

Yahoo

Yahoo! Inc. (Nasdaq: YHOO), the beleagured No. 2 search engine, is expected to have flat revenue and earnings in the first quarter as it seeks to turn around stagnant advertising and search divisions under its new CEO.

Sponsorship Link

TrustedSec reported that the hacked accounts contained different email addresses ranging from yahoo.com, gmail.com and aol.com, among others. The hackers named the affected website only as a subdomain of yahoo.com. However, further digging into the dump, posted on a public website, revealed that the attacker forgot to remove the hostname dbb1.ac.bf1.yahoo.com and based on that it looks like the compromised server could possibly be Yahoo! Voice, better known as Associated Content.

According to the report, the most alarming part of the cyber attack was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public. The method that hackers used to penetrate the Yahoo subdomain appeared to be a union-based SQL injection, said the report.

Ars Technica said this particular hacking technique targets poorly secured web applications that don't properly scrutinize text entered into search boxes and other user input fields. Hackers inject powerful database commands into these applications and trick back-end servers into dumping huge amounts of sensitive information.

The report stated that hackers made public plaintext credentials for 453,492 Yahoo accounts, more than 2,700 database table or column names and 298 MySQL variables.

We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat, read a note attached to the file obtained by Ars Technica. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.

Just over a month ago, LinkedIn also became the victim of a cyber attack, in which more than 6.4 million user accounts were compromised and confidential details were leaked, forcing the company to urge members to change their credentials.

If you are a Yahoo user, it's highly recommended to change your password right away, even if you don't use the Yahoo Voice service.

Meanwhile, Yahoo has not officially acknowledged any such security breach.