Yahoo Inc has confirmed that more than 400,000 user names and passwords to access websites including its own, have been stolen and posted online. Security researchers who have looked at the data say that it appears that the passwords came from the company's VoIP service, Yahoo Voice. However the full extent of the breach is as of yet unknown.
In a statement published by TechCrunch, Yahoo representatives confirmed a breach that hit the site's Contributor Network (previously Associated Content) on Wednesday. The stolen data was contained in an "older file," and only about 5 percent of the exposed credentials were still valid on Yahoo.
"We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised," the statement continued. "We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."
The concern, however, is that despite all the recent warnings issued over creating better, stronger passwords, many of the passwords listed weren't all that secure to begin with. More than 1,600 of the passwords are "123456" and another 780 are "password". This raises flags not only on the Yahoo site but could potentially open users to security risks on other sites as well. Many people tend to re-use passwords on multiple sites, meaning that if their password has been stolen on one site it might be used on another and therefore should be considered at risk on other sites as well.
"Since all the accounts are in plain-text, anyone with an account present in the leak which also has the same password on other sites (e-mail, Facebook, Twitter, etc), should assume that someone has accessed their account," said Anders Nilsson of Eset
Update: According to security firm Rapid7, the breakdown data stolen from the Yahoo breach included log-ins and credentials from not only Yahoo but Google Gmail, Microsoft Hotmail, and AOL, Comcast and MSN accounts. The break down as follows in terms of various service provider accounts:
1. 137,559 yahoo.com
2. 106,873 gmail.com
3. 55,148 hotmail.com
4. 25,521 aol.com
5. 8,536 comcast.net
6. 6,395 msn.com
7. 5,193 sbcglobal.net
8. 4,313 live.com
9. 3,029 verizon.net
10. 2,847 bellsouth.net