In July 2012, Yahoo Voice, a user-generated content platform owned by Yahoo, suffered a major data breach. On July 11, 2012, a hacking group calling itself "D33DS Company" posted a file online containing approximately 450,000 login credentials and passwords from Yahoo Voice users. The data was obtained through a SQL injection attack that exploited vulnerabilities in Yahoo's database servers.[1][2][3][4]
Date | July 11, 2012 |
---|---|
Location | Yahoo! servers |
Also known as | Yahoo Voice hack |
Cause | SQL injection attack |
First reporter | TrustedSec |
Outcome | 450,000 usernames and passwords leaked |
Suspects | D33Ds Company (hacking group) |
Website | Yahoo! Voices |
Passwords were stored unencrypted |
The Breach
editThe Yahoo Voices breach occurred on July 12, 2012, when a hacking group calling themselves "D33DS Company" used a union-based SQL injection attack to gain unauthorized access to Yahoo's servers.[5] The attackers were able to extract and publish unencrypted account details, including emails and passwords, for approximately 450,000 user accounts belonging to the Yahoo Voices service.[6]
The compromised passwords were stored in plaintext, without any encryption or hashing protection.[6] This security oversight allowed the attackers to immediately access and publish the raw passwords without needing to crack them, significantly increasing the potential for immediate misuse of the stolen credentials.[5]
D33DS Company announced the leak via a Twitter post, which has since been removed.[6] The hackers also prefaced their password dump with a statement detailing their use of a union-based SQL injection attack to obtain the data.[6] The full dump file containing the compromised user information was made available for download via BitTorrent, allowing for widespread distribution and potential misuse of the stolen credentials.[6]
The breach compromised approximately 450,000 user accounts and the leaked data including usernames and passwords in plaintext. The attack specifically _targeted Yahoo Voice, formerly known as Associated Content, which Yahoo had acquired in May 2010 for $100 million (£64.5 million). Using SQL injection techniques, the hackers were able to extract the data from Yahoo's servers and subsequently post the compromised information publicly online.[1][2][3][4]
Yahoo confirmed the breach, stating that "an older file from Yahoo Contributor Network... containing approximately 450,000 Yahoo and other company users' names and passwords was compromised." The company also noted that less than 5% of the Yahoo accounts had valid passwords.[3] According to US security firm Trustedsec, the compromised passwords were associated with a variety of email addresses including those from yahoo.com, gmail.com, and aol.com.[3][4]
The last entries in the data dump appeared to be linked to IDs created in 2006, suggesting that the compromised database might have been an older one no longer in active use.[4] At the time of the breach, Yahoo claimed to have more than 600,000 contributors to its Voice platform.[4]
Security experts suggested that the most alarming aspect of the attack was that the passwords for the accounts were stored unencrypted. This meant that any hacker could potentially use the stolen email addresses and passwords to access other services, including Yahoo Mail, putting far more accounts at risk than just those directly affected by the Voice breach.[4]
In a statement accompanying the data dump, the hackers said: "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat." They also noted that other security holes had led to previous disclosures and urged Yahoo not to take the vulnerabilities lightly.[1] The breach highlighted significant security flaws in Yahoo's systems, particularly the storage of passwords in plaintext rather than using encryption. This incident came shortly after other major data breaches at companies like LinkedIn, as well as similar attacks on Android Forums and Formspring, raising broader concerns about online security practices at the time.[1][4]
Response
editIn response to the breach, Yahoo stated they were "taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users accounts may have been compromised."[3] The company faced criticism for its security practices and failure to adequately protect user data. This breach was one of several major security incidents Yahoo would face in the coming years, culminating in the disclosure of even larger breaches affecting billions of accounts in 2016.[2]
Yahoo! said in a written statement that it takes security very seriously and is working hard to fix the vulnerability in its site. Yahoo! said that it was in the process of changing the passwords of the hacked accounts and notifying other companies of the hack.[7] [8]
Controversy
editThere was no site-wide notifications about the hack, nor did any victim get any type of personal messages detailing how to reset their account passwords from Yahoo.[9] Joseph Bonneau, a security researcher and a former product analysis manager at Yahoo, said "Yahoo can fairly be criticized in this case for not integrating the Associated Content accounts more quickly into the general Yahoo login system, for which I can tell you that password protection is much stronger."[7]
References
edit- ^ a b c d Warren, Tom (2012-07-12). "Yahoo Voice website reportedly hacked, over 400,000 usernames and passwords made public". The Verge. Retrieved 2024-10-02.
- ^ a b c Condliffe, Jamie (2016-12-15). "A History of Yahoo Hacks". MIT Technology Review. Retrieved 2024-10-02.
- ^ a b c d e "Yahoo investigating exposure of 400,000 passwords". BBC News. 2012-07-12. Retrieved 2024-10-02.
- ^ a b c d e f g Arthur, Charles (2012-07-12). "Yahoo Voice hack leaks 450,000 passwords". The Guardian. Retrieved 2024-10-02.
- ^ a b Bisht, Prabhat; Rauthan, Manmohan Singh; Bisht, Raj Kishore (September 2019). "Component Based Web Application Firewall for Analyzing and Defending SQL Injection Attack Vectors". International Journal of Recent Technology and Engineering. 8 (3): 4183–4190.
- ^ a b c d e Mirante, Dennis; Cappos, Justin (2013-09-13). Understanding Password Database Compromises (Technical report). Polytechnic Institute of NYU.
- ^ a b "Yahoo! fails security 101 as 443,000 passwords are leaked". CNN Money. July 12, 2012. Retrieved July 29, 2012.
- ^ "Yahoo Voices is latest to be hacked with 450,000 accounts stolen". Webpronews.com. Retrieved July 29, 2012.
- ^ "Yahoo! fails to notify 453k+ of affected victims". Niuzer.com. Archived from the original on 4 March 2016. Retrieved 29 July 2012.
External links
edit- http://ycorpblog.com/2012/07/13/yahoo-0713201/ Archived 2012-08-04 at the Wayback Machine