It has been reported that on the 12th of July well organized, unknown D33DS Company cyber criminals, stole over 450,000 of Yahoo Voices users’ login details and shared them with the public. The database, whose server was breached, accumulates to around 30% of Yahoo logins; and passwords from other popular electronic mailing service providers Gmail, AOL, Hotmail and Microsoft Live have also been stolen. Even though data breaching attacks are no longer as scandalous, with recent password theft incidents revolving around LinkedIn, eHarmony or Lastfm.com websites, the company is still accused of breaking the legal obligation to protect highly sensitive, identifying personal data, and experts are raising security questions.
Without a doubt, Yahoo failed to protect its users’ privacy, and now the company is rushing to implement actions, supposedly fit to guard affected users’ accounts and to prevent similar “accidents” from happening again. Of course, this is a must, and the least that could be done, because the company itself is now being held responsible for allowing self-proclaimed hacktivists to access data without any obstacles. It is now known that schemers used SQL (Structured Query Language) code injections to gain administrative privileges, which allowed them to access private login details that were kept in clear text, without any sort of encryption. D33DS stated that this action had no criminal intent:
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.” – D33DS (July, 2012).
Even if D33DS Company does not have any malignant plans to breach privacy of those Yahoo Voices users, whose login details were stolen, it is certain that third parties, with access to publicly exposed sensitive data, could use this information for their own attacks. Therefore, all users are rushed to protect their online accounts with strong passwords immediately. Additionally, you can also check, whether your Yahoo login details were exposed here.
In the latest response, Yahoo declared that all security vulnerabilities are now under control, adding: “At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.” Of course, Yahoo users are much more likely to value the practical data security, rather than apologetic blog posts, which do not leave company’s customers any other choice but to forget the incident. Unfortunately, there is no data, which could calculate the number of accounts that were withdrawn after the incident; however, this action is completely justifiable, because the company did not manage to meet their legal responsibility to protect their own customers.
t appears the hackers used a SQL-injection to access the database, which would have given them administrator-level access to the database and all its content.