Yahoo! Inc. said today that a security breach on its site exposed 450,000 user names and passwords for accounts at Yahoo and other Internet services such as Microsoft Corp.’s Hotmail and AOL Inc.
A file containing login credentials for Yahoo and other accounts was stolen from a Yahoo site featuring user articles, videos and slideshows on July 11, the company said in an e- mailed statement today.
“At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products,” the Sunnyvale, California-based company said in the statement. ’’We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to all affected users.’’
Yahoo spokeswoman Kate Wesson said the company has 298 million active Yahoo e-mail users worldwide. That means the breach affected less than one percent of users.
Reuters earlier reported that a hacker group called D33DS had posted online details of 450,000 user accounts and passwords that it claimed were taken from a Yahoo server.
TrustedSec, a Berea, Ohio-based security consultancy that reviewed the list of breached e-mail addressed, reported on its blog that the addresses included accounts from AOL and Hotmail.
The hackers that posted the information made efforts to mask which Yahoo site the stolen passwords came from, but inadvertently left clues in the file that point to the Yahoo! Voices site as the source of the breach, TrustedSec wrote.
The breached site was formerly known as Associated Content, a site for user-generated content that Yahoo bought in 2010 and re-branded last year.
Many of the victims may have been Associated Content users who signed up for the service before Yahoo turned it into Yahoo Voices, said Kurt Baumgartner, a security researcher at Russian antivirus firm Kaspersky Lab. That likely explains why non-Yahoo e-mail accounts were among the breached data, as users could sign up for the service with a variety of e-mail accounts, he said.
The Yahoo e-mail accounts of at least 10 foreign journalists based in China and Taiwan were hacked in March 2010, according to Reporters Without Borders, a Paris-based press freedom group. Yahoo said in an e-mailed statement in response to the breach that it “condemns all cyber attacks regardless of origin or purpose.”
Google Inc. said in January 2010 that it was one of at least 20 companies targeted in a “highly sophisticated” computer attack directed at e-mail accounts of human rights activists. That month, Yahoo was targeted by a Chinese attack similar to the one that affected Google, according to a person familiar with the matter.
Yahoo dropped 0.5 percent to $15.73 at 2:33 p.m. in New York. The shares had declined 2 percent this year through yesterday.