Security researchers warned Thursday that thousands of people could be vulnerable to hackers after Yahoo confirmed that about 450,000 usernames and passwords were stolen from one of the company’s databases.
In a statement, a Yahoo spokeswoman said the company was taking “immediate action” by fixing the vulnerability that led to the breach, changing users’ passwords and notifying the companies whose users’ accounts may have been compromised.
Yahoo said that less than 5 percent of the breached accounts had valid passwords.
“We apologize to all affected users,” Yahoo spokeswoman Dana Lengkeek said. “We encourage users to change their passwords on a regular basis.”
But Marcus Carey, a security researcher at Rapid 7, said that because many people use the same username and password for multiple sites, hackers could use the stolen data to compromise other accounts, such as PayPal or some of the government and military accounts that were used to register for Yahoo Voices, a publishing platform formerly known as Associated Content.
Carey said he analyzed the leak — which was initially posted on the file-sharing site Pastebin — and found that Yahoo Voices contributors signed up using a variety of accounts: about 140,000 Yahoo addresses, more than 100,000 Gmail addresses, more than 55,000 Hotmail addresses and more than 25,000 AOL addresses.
“Because password reuse is so prevalent, there’s a high likelihood that thousands of people are going to be compromised because of this,” he told The Huffington Post.
A hacker group called D33D claimed responsibility for the disclosure of usernames and passwords belonging to Yahoo Voices’ users.
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the group said in a statement. “There have been many security holes exploited in Web servers belonging to Yahoo Inc. that have caused far greater damage than our disclosure. Please do not take them lightly.”
The hackers said they breached the server using a technique known as an SQL injection, which allows them to steal the contents of vulnerable databases by entering commands.
“It would be equivalent of tricking an ATM into giving you more money than you have in your account,” Carey said.
Alex Horan, a senior product manager at CORE Security, criticized Yahoo for apparently storing usernames and passwords without encrypting them.
“The bigger problem is these passwords were sitting there in the clear,” Horan said. He added that encrypting passwords was “Security 101.”
“That’s mind-blowing that a company wouldn’t do that,” he said.
The Yahoo breach was the latest high-profile leak of customer data. Earlier on Thursday, the social network Formspring said that hackers posted password information belonging to about 420,000 accounts online.
And last month, the social networking site LinkedIn said it would enhance the security of its databases after 6.5 million user passwords were leaked online.
Security experts say such data breaches serve as a reminder for Internet users to use complex, unique passwords for various accounts.