Yahoo Voices has been hacked. More than 400,000 accounts have been exposed, according to TrustedSec. The firm reports that clear-text passwords were posted online.
"The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000-plus usernames and passwords are now public," the firm said. "The method for the compromise was apparently an SQL Injection attack to extract the sensitive information from the database."
A hacker group named D33DS Company posted the e-mails and passwords online. Security firm Sophos said in a company blog post that it hoped the parties responsible for managing the security of the subdomain would take it as a wake-up call rather than a threat.
Yahoo confirmed the breach, which occurred on July 11 from what it called an "older file" on the Yahoo Contributor Network, and apologized to its consumers. Yahoo Voices allows users to post their own text, photos and video as stories for others to see.
"Of these, less than 5 percent of the Yahoo! accounts had valid passwords," Yahoo said in a published statement. "We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised."
We caught up with Anna Branding, a security analyst for Sophos, to get her take on the Yahoo breach. Sophos has reported several similar breaches over the past few weeks, including at Last.fm, LinkedIn and eHarmony.
"It's really about the bad guys targeting sites and services which are commonly used," Branding told us. "Hackers follow people, so by their very nature social applications are prime targets. There's little point in targeting services with very few users."
What can Yahoo and the rest learn about security in the wake of these breaches -- or, perhaps more pointed, what should they learn? Branding said you can never be sure something is 100 percent secure, with hackers constantly finding new ways to access information.
"Organizations must ensure their systems and software are as secure as possible by encrypting the data stored on them -- so even if an attacker manages to gain access, the data they steal will be of little use to them," Branding said. "We're not talking just the obvious data such as usernames, passwords and credit card details, even innocuous information such as e-mail addresses should be stored securely."
Branding said security should be a consideration from Day One of a project. Attempting to retrospectively secure a poorly designed application or system is always going to be more difficult. In some of these cases, she said, the organizations affected have been slower to react than one would hope. Anyone can become a victim of an attack, she concluded, but it's important to inform customers as soon as possible so they take action.
We asked Fred Touchette, senior security analyst at AppRiver, how consumers can protect themselves. He told us the first step is to create a strong password.
"Even though it's nearly impossible to make anything 100 percent secure," Touchette said, "by utilizing multi-layered security practices, beginning with your password, you will make it much harder for anyone to get a hold of your private data and information."