Yahoo! has reportedly suffered a huge user account security breach, with login credentials for in excess of 453,000 users having been released into the wild. Details of which of Yahoo!’s services has been hacked have not been released, though TrustedSec speculates that it is Yahoo Voice based on some of the subdomains included with the leaked list of 453,492 accounts.
The login details were released by a hack collective calling itself D33Ds Company, which claimed to have accessed the usernames and passwords with a union-based SQL injection, Ars Technica reports. Such an attack overloads a poorly-secured server with database commands; “By injecting powerful database commands into them, attackers can trick back-end servers into dumping huge amounts of sensitive information” Ars says.
However, D33Ds Company claims to have mitigated the potential damage of the leak by purposefully withholding more sensitive data. ”We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure” the group wrote. “Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
Yahoo! is yet to comment on the breach, though it’s not the first embarrassing security gaffe at the company. Back in March, the company’s new Axis browser for iOS, PC and Mac was identified as having a potential loophole through which malware could install in the user’s browser.