Hackers post 453,000 plaintext Yahoo Voices logins

By on July 12, 2012, 12:00 PM

Another day, another password to reset. Hackers collectively known as "D33Ds Company" have posted unencrypted credentials for over 453,000 Yahoo Voices accounts. The group reportedly used an SQL injection to extract the information, which includes email addresses, passwords, over 2,700 database table or column names and 298 MySQL variables.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly," D33Ds said in the password dump.

"We are currently investigating the claims of a compromise of Yahoo! user IDs. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com," a Yahoo representative told the BBC today, along with encouraging users to change their passwords.

Although the company told BBC it's not sure what sites are affected, TrustedSec reports with certainty that the breach at least involves Yahoo Voices (formerly Associated Content), a Web publishing division that focuses on user-generated content. Hopefully, Yahoo will offer more details about affected services in the next day or two.

In the meantime, you can check if your account details were compromised by various means. A text document with all the credentials is available via D33Ds as well as popular torrent sites. Those seeking a more kosher source can use Should I Change My Password or this index, which shows email addresses but blurs passwords.




User Comments: 11

Got something to say? Post a comment
Tygerstrike said:

WOOOHOOO!!!

Yet another hacker group thinking thier Robin Hood and embarassing the Sherriff to get what they want. If these groups want to be taken seriously they need to contact the board members of the company they are security testing. How do these ****** think they are going to get paid? A nickle is going to fall out of thier computer hard drive everytime they post a password?

If they are indeed just a "testing" hacker group, then it also shouldnt hurt them to post who they really are online........

lipe123 said:

I thought SQL injection is the most basic attack possible and even college grad sys admins know how to avoid it?

HuntForTheWOrst said:

I thought SQL injection is the most basic attack possible and even college grad sys admins know how to avoid it?
Any website can get hacked by SQL but it takes Advanced hackers to hack websites like Facebook,Yahoo,Twitter etc These guy are known for their hacking their advanced and really good at it so they can do it.It was just way too advanced and hard for the rest of us and Yahoo has already had this happen to them before too well not the exact thing but they have gotten hacked.

Guest said:

Does this affect the regular Yahoo e-mails as well?

HuntForTheWOrst said:

Yes it will effect if your passwod was on the list cause it's the same thing used on yahoo answers!

So everything with yahoo is affected that uses yahoo emails but yours may have not been told so your good if it wasn't told

lipe123 said:

I thought SQL injection is the most basic attack possible and even college grad sys admins know how to avoid it?
Any website can get hacked by SQL but it takes Advanced hackers to hack websites like Facebook,Yahoo,Twitter etc These guy are known for their hacking their advanced and really good at it so they can do it.It was just way too advanced and hard for the rest of us and Yahoo has already had this happen to them before too well not the exact thing but they have gotten hacked.

No they cant, any website that doesnt santize input fields can get hacked. It's a GROSS oversight by whoever is in charge. http://en.wikipedia.org/wiki/SQL_injection

Basically it boils down to instead of putting your username in the login box you put "SELECT * FROM users WHERE name = 'a';DROP TABLE users; and bam it deletes all the users in the database with the username "a" cause the stupid webpage -> database thing isn't filtering out these inputs.

SQL injection is hacking 101 and if your company is affected by it its like "welcome to the hall of shame"

HuntForTheWOrst said:

No they cant, any website that doesnt santize input fields can get hacked. It's a GROSS oversight by whoever is in charge. http://en.wikipedia.org/wiki/SQL_injection

Basically it boils down to instead of putting your username in the login box you put "SELECT * FROM users WHERE name = 'a';DROP TABLE users; and bam it deletes all the users in the database with the username "a" cause the stupid webpage -> database thing isn't filtering out these inputs.

SQL injection is hacking 101 and if your company is affected by it its like "welcome to the hall of shame"

Oh **** I fcked up hardcore but you can also SQL it if the website is vulnerable but most popular websites arent vulnerable thanks for correcting my mistake:D

Yahoos been vulnerable many times though

Guest said:

None of my e-mails were in the dazzle pod list so I guess I'm in the clear. I don't think I'll be making any more yahoo emails though.

treetops treetops said:

sob now I am going to have to change some passwords

edit

THANK YOU

for the link I am not on the list

TJGeezer said:

Years ago, before switching to gmail for the spam filtering, I used a Yahoo email address for awhile. Haven't checked it in years and ignore anything that comes in, but on impulse I checked at your "should I change my password" link - it said my old addy was compromised on July 12.

Last time I even looked, the box had so much spam clogging it up I just left in disgust. Now I'm wondering if I should bother to change the address. I don't even know what my password was for that account, though I suppose I could go to the torrents and find out.

Nah. Not worth the trouble; let 'em have the old, dead mailbox.

treetops treetops said:

Years ago, before switching to gmail for the spam filtering, I used a Yahoo email address for awhile. Haven't checked it in years and ignore anything that comes in, but on impulse I checked at your "should I change my password" link - it said my old addy was compromised on July 12.

Last time I even looked, the box had so much spam clogging it up I just left in disgust. Now I'm wondering if I should bother to change the address. I don't even know what my password was for that account, though I suppose I could go to the torrents and find out.

Nah. Not worth the trouble; let 'em have the old, dead mailbox.

I switched to gmail too, but used the same pass as yahoo, changing that, I still keep it around for signing up to sites I suspect will spam me.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.