LONDON (AP) — Some 450,000 Yahoo users’ email addresses and passwords have been leaked because of a security breach, Yahoo confirmed Thursday, adding that just a small fraction of the stolen passwords were valid.
The company said in a statement that an “old file” from the Yahoo Contributor Network was compromised Wednesday. Among the stolen emails and passwords were many from Yahoo’s own email service along with those of other companies. The Yahoo Contributor Network is a content-sharing platform. Yahoo said it is fixing the vulnerability that led to the disclosure, changing the passwords of affected Yahoo users, and notifying other companies whose users’ accounts may have been compromised.
Online security experts said Yahoo might have done more to protect the stored passwords, with Ohio-based TrustedSec describing the Internet giant’s decision not to encrypt them as “most alarming.”
Technology news websites including CNET, Ars Technica, and Mashable identified the hackers behind the attack as a little-known outfit calling itself the D33D Company. The group was quoted as saying it had stolen the unencrypted passwords using an SQL injection — the name given to a commonly used attack in which hackers use rogue commands to extract data from vulnerable websites.