LONDON (AP) -
Some 450,000 Yahoo users' email addresses
and passwords have been leaked because of a security breach, the company
confirmed Thursday, adding that just a small fraction of the stolen
passwords were valid.
The company said in a
statement that an "old file" from the Yahoo Contributor Network was
compromised Wednesday. Among the stolen emails and passwords were many
from Yahoo's own email service along with those of other companies. The
Yahoo Contributor Network is a content-sharing platform.
Yahoo said it is fixing the
vulnerability that led to the disclosure, changing the passwords of
affected Yahoo users, and notifying other companies whose users'
accounts may have been compromised.
"We apologize to all affected users," the company statement said.
Technology news websites
including CNET, Ars Technica, and Mashable identified the hackers behind
the attack as a little-known outfit calling itself the D33D Company.
The group was quoted as saying it had stolen the unencrypted passwords
using an SQL injection - the name given to a commonly used attack in
which hackers use rogue commands to extract data from vulnerable
websites.
"We hope that the parties
responsible for managing the security of this subdomain will take this
as a wake-up call," the group was quoted as saying.
Online security experts
said Yahoo might have done more to protect the stored passwords, with
Ohio-based TrustedSec describing the Internet giant's decision not to
encrypt them as "most alarming."
Nevertheless, the haul does
not appear as useful to hackers as they might have thought. Yahoo
cautioned that only 5 percent of passwords associated with its account
holders were valid.
It was not immediately
possible to contact the Ukraine-registered website associated with D33D
Company. Its contact form was inoperable Thursday, while an email
address and a phone number attributed to the site's registrant appeared
to be invalid.
Copyright
2012 The Associated Press. All rights reserved.
