A group of hackers this Thursday issued a list of over 453,000 log in credentials on the Internet that were allegedly stolen from a database related with an unnamed Yahoo service.
The hackers call it “the D33Ds Company” and claim to have hacked into the database by exploiting an SQL injection vulnerability got on a Yahoo subdomain.
“The subdomain and vulnerable platforms have not been sent to avoid further detriment,” the hackers express in their statement.
The leaked information contains MySQL server variables, names of database tables and columns further a list of 453,492 email addresses and passwords in plain contents.
The exposed log in credentials does not only have yahoo.com email addresses but also email addresses from other public and others email providers.
The Anders Nilsson, chief technology officer at Eurosecure, antivirus vendor ESET’s provider in Scandinavia, stated that the most common domain names for the leaked email addresses were yahoo.com, gmail.com, hotmail.com and aol.com.
The most common password was “1234546″, used by 1,666 users, followed by the word “password”, seen 780 times. Further, “password” was come into use as a base word for 1373 passwords.
Though, the hackers didn’t name the affected Yahoo subdomain, Dave Kennedy, the CEO of security firm TrustedSec,speculated, based on a host name came in the stolen data, that the service is Yahoo Voices, a library of user generated content called Associated Content from Yahoo.
Yahoo was not in the position to immediately confirm the compromise or name the affected service, if any. Caroline MacLeod Smith, head of consumer PR in the UK of Yahoo said via email that we are recently investigating the claims of a compromise of Yahoo! user IDs. He further pointed out that we encourage users to alter their passwords on a regular basis and also know themselves with our online safety advices at security.yahoo.com.
“We hope that the parties are liable for adjusting the security of this subdomain, will take this as a wake-up call and not as a threat,” according to hacker. “There have been many security holes exploited in web-servers attaching to Yahoo Inc. that have caused for huge loss than our disclosure. Please don’t take them lightly.”
If someone’s log in are leaked, there is not much they can do except to alter their passwords as soon as possible, pressure the responsible service provider to make batter security and consider moving to a safer service, David Harley, a senior research fellow at antivirus vendor ESET, told in the blog today.