Skip to main content

Yahoo releases fix for email vulnerability

Yahoo has said that it has fixed the vulnerability that led to the unauthorised release of more than 450,000 email passwords from users of Yahoo Voices.

"We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users," Yahoo said in a blog post. "In addition, we will continue to take significant measures to protect our users and their data."

The released data affected those who joined Associated Content before May 2010, which was when Yahoo acquired the company. "This compromised file was a standalone file that was not used to grant access to Yahoo systems and services," Yahoo said.

The next time users who joined Associated Content before May 2010 sign in to their Yahoo account, they will likely be asked to answer a series of authentication questions to change and validate account details, according to Yahoo.

"At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products," the company said. "We sincerely apologize to all affected users."

According to security firm Sophos, the list of 453,491 emails and passwords were posted online by hacker group D33DS Company.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," D33DS said, according to a Sophos blog post.

In a new post, Sophos highlighted some of the insecure passwords many of the Yahoo hack victims were using. That includes 1,666 people who used "123456" and 780 who used "password." Other popular selections were welcome, ninja, sunshine, princess, and qwerty.

Yahoo is not the only one to be affected by a hack in recent days. Nvidia shut down its Developer Zone after a hack that might have gained access to password information. And Phandroid revealed that its Android forums also suffered a breach.