Attackers allegedly exposed 453,000 Yahoo credentials, posting them on hacker site D33D Company as plain text. The compromised server was likely Yahoo! Voice, formerly known as Associated Content, as first reported by TrustedSec.
Hackers got into the Yahoo subdomain using a union-based SQL injection technique that pumps in newly formed database commands, dumping the database contents to the attacker.
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” read the message at the end of the dump. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
The dump includes 54,000 Hotmail addresses, 106,000 from Gmail customers, and 136,000 from Yahoo! users, according to a DataLossDB analysis. Of the credentials exposed, 342,509 are unique.
The exposure comes shortly after a series of apparently unrelated LinkedIn, eHarmony, and Last.fm password breaches which made more than 8 million credentials vanish in one go. Also, social media network Formspring has just discovered 420,000 hashed passwords exposed on a security forum.
Yahoo hasnâ€™t commented on the alleged breach.