In the latest in a string of password leaks, a hacker or hacking group calling itself “DD3Ds Company” leaked what it said were plaintext passwords for 453,492 Yahoo accounts, calling the attack a “wake-up call,” not a threat, according to an article from Information Week.
DD3Ds also released more than 2,700 database table or column names, as well as 298 MySQL variables. The groups said it obtained the data by executing a SQL injection attack against Yahoo Voice, a Yahoo subdomain purchased in 2010 from online call company Associated Content, the article says.
In a note included in the password dump, the hackers say: “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. … There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
A Yahoo spokesman said that the company is currently investigating the alleged password leak.
This is only one of many recent password leaks from notable personal and social networking sites, such as eHarmony and LinkedIn.
According to DD3Ds, Yahoo was not even hashing its passwords – the process in which a normal, typed password is run through an encryption algorithm to produce a digital fingerprint of the password which cannot easily be traced back to the original word.
Plus, if DD3Ds is correct in stating that Yahoo was storing passwords in plaintext without encryption, privacy experts foresee FTC sanctions, the article says.
For more information on how to protect your business or organization from hackers and data breaches, read this week's Security eNewsletter article: 5 Steps to Protecting Data in Small- and Medium-Sized Businesses.