In a blog post, Yahoo! said “We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users. In addition, we will continue to take significant measures to protect our users and their data.”
The hacker collective going by the name D33Ds Company took responsibility of the hack earlier and said that they had used a very basic “union-based SQL injection” technique to get their hands on the login credentials. For not-so-security-savvy readers, SQL injection is a technique used to trick databases of websites into giving out more information that it is supposed to and in most cases private and confidential information.
There are two things that Yahoo! has failed miserably when it comes to this particular site. First and foremost is the lack of apparent code review that would have definitely caught such a basic vulnerability and next is the storage of passwords in plain text. We would expect company like Yahoo! to take this thing seriously and store the password in hash format (cryptographic masking) just to deter malicious elopements on the web even if they get their hands on such information.
Yahoo! has also confirmed that the stolen login credentials were part of its Yahoo Contributor Network which was previously known by the name Associated content.
According to Rapid7, out of the 430,000 credential only a third i.e. 33% were registered to a yahoo.com email address while 23.6% were registered to Gmail accounts and 12.2% with a Hotmail account notes ComputerWorld.
If you think that your account might be one of the hacked ones, we would recommend you to change the password ASAP as a precautionary measure.