July 13, 2012 12:15 am
Yahoo
has become the latest internet company to be forced to acknowledge a
security breach and apologise to users after hackers posted the logon
details of more than 453,000 accounts on a public website.
The attack coincided with Yahoo’s annual meeting on Thursday at which the company had been expected to announce a successor to Scott Thompson, the chief executive who left under a cloud in May. No such announcement was made.
A group of hackers calling themselves the D33Ds Company posted user names and passwords which mostly belonged to Yahoo users but reportedly also included some logons belonging to users of other services.
The hackers, who claimed to have stolen the passwords using a technique called an SQL injection, which inserts malicious code into server-based software, said they had posted the details to highlight the vulnerability of the files. “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call and not as a threat,” they said.
Yahoo subsequently confirmed that an older file from Yahoo Contributor Network, previously Associated Content, containing about 450,000 names and passwords for Yahoo and other companies’ systems had been compromised on Wednesday. It claimed that less than 5 per cent of the account passwords were still valid.
Yahoo apologised to affected users and urged them to change their passwords on a regular basis and follow the company’s security and safety tips.
“Yahoo takes security very seriously and invests heavily in protective measures to ensure the security of our users and their data across all our products,” the company said. “We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users’ accounts may have been compromised.”
The security breach at Yahoo comes just a month after hackers posted 6.5m passwords belonging to members of LinkedIn, the online social network for professionals. Other sites including eHarmony, Last.fm and Formspring have reported similar attacks.
Security industry professionals said the attacks highlighted the continuing vulnerability of some sites. “SQL injection attacks have become the method of choice among hackers seeking to exploit weaknesses in IT infrastructures but with solutions readily available that are capable of blocking these threats, it’s frustrating that these attacks are still so successful,” said Chris Hinkley, senior security engineer at Firehost, a secure cloud hosting company.
Copyright The Financial Times Limited 2012. You may share using our article tools.
The attack coincided with Yahoo’s annual meeting on Thursday at which the company had been expected to announce a successor to Scott Thompson, the chief executive who left under a cloud in May. No such announcement was made.
A group of hackers calling themselves the D33Ds Company posted user names and passwords which mostly belonged to Yahoo users but reportedly also included some logons belonging to users of other services.
The hackers, who claimed to have stolen the passwords using a technique called an SQL injection, which inserts malicious code into server-based software, said they had posted the details to highlight the vulnerability of the files. “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call and not as a threat,” they said.
Yahoo subsequently confirmed that an older file from Yahoo Contributor Network, previously Associated Content, containing about 450,000 names and passwords for Yahoo and other companies’ systems had been compromised on Wednesday. It claimed that less than 5 per cent of the account passwords were still valid.
Yahoo apologised to affected users and urged them to change their passwords on a regular basis and follow the company’s security and safety tips.
“Yahoo takes security very seriously and invests heavily in protective measures to ensure the security of our users and their data across all our products,” the company said. “We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users’ accounts may have been compromised.”
The security breach at Yahoo comes just a month after hackers posted 6.5m passwords belonging to members of LinkedIn, the online social network for professionals. Other sites including eHarmony, Last.fm and Formspring have reported similar attacks.
Security industry professionals said the attacks highlighted the continuing vulnerability of some sites. “SQL injection attacks have become the method of choice among hackers seeking to exploit weaknesses in IT infrastructures but with solutions readily available that are capable of blocking these threats, it’s frustrating that these attacks are still so successful,” said Chris Hinkley, senior security engineer at Firehost, a secure cloud hosting company.
No comments:
Post a Comment