A self-aggrandized breach of nearly 450,000 Yahoo Voices account passwords Wednesday has troubling implications for data security practices during corporate acquisitions of Web service providers. The Yahoo Voices service includes content from the company’s 2011 purchase of Associated Content.
The password breach was posted on a public website by a group of hackers identified as D33Ds Company, which claims to have obtained the plain text file of accounts and password information using a union-based SQL injection, where false SQL database commands are entered into a site’s Web interface to obtain data not normally available for public consumption.
Yahoo has confirmed that the breach occurred on its Contributor Network, which is how the company refers to the Yahoo Voices service. In a statement to TechCrunch, Yahoo acknowledged the breach and said that it was taking steps to correct the vulnerability that allowed the SQL injection to occur.
“We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised,” the statement read in part.
How Bad Was It?
Yahoo’s statement, meant to assuage concerns over how many valid passwords were actually revealed, may actually raise more questions. According to Säkerhetsbloggen, there were some 342,478 unique entries revealed in their analysis of the breached passwords.
But how literal was Yahoo’s 5% statement? Taking just the Yahoo-based domains discovered in the breach adds up to a grand total of 143,040 accounts, of which only 7,152 (or less) were actually active accounts.
It is not clear if Yahoo’s statement specified only Yahoo account information and not the remaining 199,438 accounts also revealed in the breach. (The New York Times says affected accounts also belonged to Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users.) And even if Yahoo’s statement applied to the entire set of accounts, that’s still more than 17,000 active accounts exposed to the wild.
Whose Fault Was It?
Other questions yet unanswered include the vulnerability of the older Associated Content data itself. The content farm was acquired by Yahoo in May 2011, and had some 380,000 contributors and 16 million monthly visitors, which Yahoo quickly added to its portfolio in the form of the Yahoo Voices service.
Many observers have noted that the passwords appeared to have been stored completely unencrypted. So did Yahoo also inherit a security hole when it bought Associated Content in 2011? Or was the vulnerability something that cropped up during the service’s 14 months in Yahoo’s custody?
If Yahoo failed to do due security diligence when it integrated the Associated Content network, that’s a disturbing notion to consider in any future acquisitions. And, if Yahoo did take a hard look at Associated Content’s security measures, and this was a Yahoo-specific problem, how many other Yahoo servers remain affected by the same SQL vulnerability? And how much other user data is stored without encryption?
No matter the answers to these questions, Yahoo users – and users of any Web services – should pay attention to their potential vulnerabilities any time a service is acquired by a new owner.