Science and techno world topic: Internet
SAN FRANCISCO — Another month, another major security
breach.
Yahoo confirmed Thursday that about 400,000 user names
and passwords to Yahoo and other companies were stolen on Wednesday.
A group of hackers, known as the D33D Company, posted
online the user names and passwords for what appeared to be 453,492 accounts
belonging to Yahoo, and also Gmail, AOL, Hotmail, Comcast, MSN, SBC Global,
Verizon, BellSouth and Live.com users.
The hackers wrote a brief footnote to the data dump,
which has since been taken offline: “We hope that the parties responsible for
managing the security of this subdomain will take this as a wake-up call, and
not as a threat.”
The breach comes just one month after millions of user
passwords for LinkedIn, the online social network for professionals, were
exposed by hackers who breached its systems. The breaches highlight the ease
with which hackers are able to infiltrate systems, even at some of the most
widely used and sophisticated technology companies.
Marcus Carey, a researcher at Rapid7, a security company
found that among the data were some 106,000 Gmail e-mail addresses, 55,000
Hotmail e-mail addresses and 25,000 AOL e-mail addresses. Those e-mail accounts
were not hacked; instead people had used their e-mail address as user names for
a Yahoo service.
Sucuri, a company that checks for malware, set up a Web
site, labs.sucuri.net/?yahooleak, that lets concerned users check if their
account details were compromised in the breach.
Dana Lengkeek, a spokeswoman for Yahoo, said the
compromised accounts belonged to Yahoo’s Contributor Network, and that fewer
than 5 percent of the passwords posted were still valid.
Chris Gaither, a spokesman for Google, said Google
immediately reset passwords for vulnerable Gmail accounts.
The hackers claimed to have stolen the passwords using a
hacking technique called an SQL injection, which exploits a software
vulnerability.
“We are fixing the vulnerability that led to the
disclosure of this data, changing the passwords of the affected Yahoo users and
notifying companies whose user accounts may have been compromised,” Ms.
Lengkeek said in the statement.
Mr. Carey said it was unclear whether Yahoo’s breach had
been contained and noted that hackers could still be inside its systems.
Computer security experts recommended that Yahoo users
consider changing their passwords to other sites, as hackers tend to test those
passwords across multiple sites.
They were quick to chastise Yahoo for allowing hackers
such an easy way into its systems. “Why haven’t organizations like Yahoo got it
yet? SQL injection is a known attack,” said Mark Bower, a vice president at
Voltage Security. “If what is stated is true, it’s utter negligence to store
passwords in the clear.”
Source: Nytimes
No comments:
Post a Comment