Hackers take Yahoo: 453,000 login credentials nabbed

Dan Goodin at Ars: "The dump, posted on a public website by a hacking collective known as D33Ds Company, said it penetrated the Yahoo subdomain using what's known as a union-based SQL injection. ... To support their claim, the hackers posted what they said were the plaintext credentials for 453,492 Yahoo accounts."


  1. Hmm, mom recently passed and took her password with. Tried getting in, nope, maybe they d33ds got it for me-seems the D co didn’t secure there own stuff because they got all their own info posted by another’s SQL attack – circlejerk

  2. To support their claim, the hackers posted what they said were the plaintext credentials for 453,492 Yahoo accounts.

    Luckily, none of the accounts had been used since 1998.

    1. It’s a good joke, but Flickr accounts require a Yahoo account so even a lot of tech-savvy people have Yahoo accounts they regularly use… including e.g. Cory Doctorow who posts photos to his account regularly (and myself).

      But if it was Yahoo Voice that was compromised as petsounds reports below, well, I have no idea what Yahoo Voice is or who its users are but the crossover with Flickr users is probably pretty small :)

      1. It still might not be “that” bad…


        only about 5 percent of the exposed credentials were still valid on Yahoo

        According to Yahoo in that article, at least.

  3. The fact that they posted plaintext passwords means that Yahoo had plaintext passwords on file.  This, in turn, means that Yahoo has no idea what they’re doing when it comes to security.  You do NOT store plaintext passwords.
    Incompetence at Yahoo is really no surprise though.

    1.  Probably but not guaranteed – has anyone seen the password dump?  How strong are the passwords?  It could be that the passwords they posted as plaintext are simply those that were weak enough to rapidly crack the hashes.

  4. Like someone posted on Ars a lot of these email accounts aren’t just limited to Yahoo.  But that makes me wonder if they are just linked to the Yahoo account, just like you can link other email accounts into GMail.  The plaintext part bothers me, but I’m more concerned with an SQL injection attack…I though those kinds of things died out years ago.  (Perhaps Ars was simplifying it all for the readers?)

  5. lol their announcement page is down because of the traffic volume. Lucky there’s always BT.



    OK I don’t think there’s a lot for users to worry about as (I believe) these are only email/PW combinations to use the Yahoo Voice whatever-it-is, NOT login details for email inboxes themselves. All of the email/PW combos I tried didn’t work (except one on Yahoo that said I hadn’t signed into my email in a while). The only users at risk are ones that actually USE Yahoo mail…. plus users who use the same PW across several accounts which means they’re asking for it anyway :)

    There’s a few US military emails in there… let’s see how effective they are at creating strong passwords. First 15 on the list: maestero, emanuel, pat727rod850, portal55, a@rron76 , pokemon, soccerba11, annieruth60, 153125, daniela, employment, monkey23, armani1, 12snooks34, ljm*8702
    Conclusion: mostly terrible

    bcsizemo: I believe a majority of attack still use SQL injection. WordPress installations was getting screwed over a few months ago.

  6. Thank goodness for 1Password.  I just have to know one ridiculously complex password for that to keep track of all my other passwords. Stuff like this happening is why I don’t like the idea of keeping all my credentials in one place “in the cloud” with some multi-service thing. One services fails then many others may go down with it.

Comments are closed.