If the news that the Yahoo! Contributor Network user-generated content site has been breached and more than 450,000 usernames and passwords compromised as a result wasn't bad enough, look behind yesterdays headlines and the situation is revealed to be much, much worse. If you were one of those folk who signed into the Yahoo! Contributor Network with your Gmail or Hotmail credentials, then those accounts are also obviously now compromised.
The D33Ds Co hacker collective has published a file containing all the login data from the breach, which appears to have been as simple as the most basic of SQL injection exploits. No, seriously: Yahoo! (one of the biggest Internet brands on the planet) appears to have fallen victim to one of the easiest of all security vulnerabilities to defend against.
If that wasn't bad enough, the login data of paired usernames and passwords also appear to have not been encrypted and just sat there on the database in plain text format. At least the LinkedIn breached passwords were hashed, if not salted, whereas Yahoo! apparently couldn't even be bothered with basic encryption of any kind.
It's not even that Yahoo! can blame the Associated Content site that it acquired for $100 million and turned into the Yahoo! Contributor Network for the lax security measures. That acquisition was two years ago now, plenty of time for Yahoo! to have sewn it up tight. The statement from Yahoo! that "we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products" really doesn't seem to quite gel with this particular episode I'm sorry to say.
Yahoo! itself claims that no more than 5% of the published logins are current, but even if those claims are correct that would still leave 22,500 folk at risk. And anyway, this breach goes beyond just being a case of 'your breach was bigger than mine' as any breach of any size is a security lapse too far. Plus, of course, as I've hinted at already the breach also puts other system logins at risk. A quick analysis of the hacked file would seem to suggest more than 100,000 Gmail accounts are included, and more than 50,000 Hotmail accounts.
The usual advice applies: if you have ever used the Yahoo! Contributor Network service, or the Associated Content site before it, change your password. If you have ever logged in with your Gmail or Hotmail accounts, then change those as well. And do it now.
Rob Rachwald, Director of Security Strategy at Imperva, says "Sadly, this breach highlights how enterprises continue to neglect basic security practices. One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide".
You can check if your email address appears on the list of hacked accounts using this tool.