New York, NY – July 12, 2012. Identity Finder has analyzed hundreds of thousands of username/email addresses and passwords reportedly belonging to a yahoo.com service, which some are speculating to be Yahoo Voice. Hackers claim that the information was stolen using a "Union-based SQL Injection Attack." A SQL injection attack is a website vulnerability where an attacker tricks the website into sharing restricted database information by typing special commands into web forms. Without proper protections, a website may expose sensitive database structures and user information.
The hack was announced Thursday, July 12, 2012 on Twitter, with links to a pastebin.com dump containing more than 2,700 database and column names, and 298 MySQL variables. Publishing an internal database structure may pose long-term risks for the breached company, as the information may be exploited by future hackers.
A mirror of the text file posted on the download site, MediaFire.com also contained more than 450,000 usernames and passwords. Identity Finder found no evidence that passwords, social security numbers, student IDs, or contact information was encrypted or hashed.
Identity Finder found the following information in the data, using the Identity Finder software:
- 453,479 clear-text usernames, of which at least 433,278 are email addresses. Of those:
- 137,559 (32.7%) are yahoo.com accounts
- 106,873 (25.4%) are gmail.com accounts
- 55,148 (13.1%) are hotmail.com accounts
- 25,521 (6.1%) are aol.com accounts
- 8,536 (2.0%) are comcast.net accounts
- 6,395 (1.5%) are msn.com accounts
- 442,836 clear-text passwords
Identity Finder's Chief Privacy Officer, Aaron Titus explained, "Many people use the same username and password in multiple accounts. Even after Yahoo resets its users' passwords, individuals who use the same username/password combination on other sites are at risk of fraud or account hijacking." Titus further warned, "Individuals affected by this breach should be on the lookout for phishing scams purporting to be from Yahoo. A typical phishing scam may warn a user about a security breach and then point them to a legitimate-looking website, and ask users to 'authenticate' themselves with a username, password, and other sensitive information like a credit card number."
The following word cloud summarizes the most popular passwords:
This word cloud summarizes the most popular email address domains:
Identity Finder's data discovery and protection software provides companies the ability to prevent data leakage and find sensitive information. They have quickly grown to become a leader in identity protection and Data Loss Prevention (DLP) by helping millions of consumers, small businesses, and enterprises across the world. You may download the free version of Identity Finder DLP Software here: http://identityfinder.com/free