Yahoo Voices Accounts Exposed and Available to the General Public

Friday, July 13, 2012

Marc Quibell

94c7ac665bbf77879483b04272744424

First, remain calm.

453,407 Yahoo Voices accounts were usurped and posted on the 'net Thursday morning.

These accounts consist of username (email address, which can be any email address such as Hotmail and Gmail) and the associated password.

IOW, if you were ever a contributor to Yahoo! Voices or Yahoo! Contributor Network (personally I've never heard of them) then you better change the account password. Now. Otherwise, don't worry about it.

In a company statement, Yahoo stated:

"At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11.  Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised.  We apologize to affected users.  We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."

You will have to forgive me if I say that if Yahoo took "security very seriously" this probably may not have happened. Maybe Yahoo! people padding their resume is not just limited to a former CEO?

This is obviously a fail in their IT Security practices, on many accounts, beginning with the SQL Injection attack used to compromise the server (yes, it only took one server to compromise for this to occur). But I'm sure there's more than enough criticism out there that covers this aspect.

I'd also like to know how exactly Yahoo! will "change the passwords of affected users" when the accounts are linked from different providers such as Gmail. Change your password, ignore what Yahoo! says, your email account you used to log into this Yahoo! service may not be safe. 

Don't panic - you can easily verify whether your email account was exposed by going to one of many parsing sites that go through the list of stolen accounts. Here is one such link: http://labs.sucuri.net/?yahooleak

Finally, since we have a list of passwords plastered all over the 'net, I found this rather humorous article that analyzed password uses: Passwords by the Numbers. Enjoy!

Possibly Related Articles:
10374
Viruses & Malware
Industrial Control Systems
SQl Injection Data Loss Encryption Passwords Yahoo Vulnerabilities Information Security breach
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.