Yahoo headquarters in Sunnyvale, California. A hacking attack on Yahoo Voices has seen 450,000 passwords stolen. Photograph: Paul Sakuma/AP
More than 450,000 usernames and unencrypted passwords appear to have been stolen from Yahoo Voice, a user-contribution services on Yahoo’s network, and posted online.
Similar attacks have been reported separately against other online services, including Android Forums and Formspring, where users are being encouraged to change their passwords immediately, and to check whether they used the same password on other services.
It is not known whether the attacks are linked. Both Formspring and Android Forums encrypted the passwords that they stored, although that is not a guarantee that they cannot be cracked.
However the Yahoo attack is potentially the most serious. Yahoo bought Associated Content for $100m (£64.5m) in May 2010, and then set it up as Yahoo Voices, allowing user-generated content to be posted online.
Yahoo claims to have more than 600,000 contributors – which would include many of the data dump if it is verified. The Guardian could not verify whether any of the accounts were still active.
The last entries in the data dump appear to be linked to IDs which were created in 2006 – which could mean that the listing discovered by the hacker, or hackers, is an old one that is no longer in use.
Security experts said that the most worrying aspect of the attack was that the passwords for the accounts were not encrypted – meaning that any hacker could scoop up the emails and immediately start using them against other services, including Yahoo Mail.
That potentially puts far more at risk than just the Yahoo Voices accounts if they are still active.
Writing at the Trusted Security site, David Kennedy noted that: “The passwords [were linked to] a wide variety of email addresses including those from yahoo.com, gmail.com, [and] aol.com,” and that they seem to have been extracted using an SQL injection attack – an increasingly common form of hacking attack in which flaws in the database and web software are exploited to get administrator-level access to the contents and structure of a database.
The page containing the Yahoo Voice addresses has all the details of the structure of the database that holds the details, as well as the usernames and passwords.
The Yahoo Voice hack has been claimed by a group or individual calling themselves “the D33Ds Company”.