Yahoo password breach extends to Gmail, Hotmail

More than 400,000 Yahoo Inc user names and passwords were stolen and
published on the Web, putting other websites at risk as well, after
hackers exploited a vulnerability in Yahoo’s computer systems.

Some
logins for Google Inc, AOL Inc and Microsoft Corp services were among
those compromised. The three companies said they required affected users
to reset passwords for sites including Gmail, AOL, Hotmail, MSN and
Live.com.

Yahoo issued a statement apologizing for the breach, the
latest setback for a company that has lost two chief executives in a
year and is struggling to revive stalled revenue growth.

Chairman
Alfred Amoroso acknowledged that Yahoo had experienced a “tumultuous”
year at its annual shareholder meeting on Thursday morning. Interim CEO
Ross Levinsohn told attendees he was optimistic about the company’s
progress.

The breach prompted criticism from security experts who
said that a major Internet firm like Yahoo should do a better job at
protecting user data.

“This points to some very lax security
practices,” said Rob D’Ovidio, associate professor of criminal justice
at Drexel University.

As an example, he noted that the hackers
were able to produce more than 400,000 cleartext passwords within a day.
That indicates that Yahoo either did not encrypt them at all or used an
encryption method that was easy to crack, he said.

The
professional networking service LinkedIn recently came under similar
criticism. Security experts chided the company for failing to use
sophisticated encryption practices to secure its passwords, millions of
which were released following a breach last month.

What happened?
Yahoo
spokeswoman Dana Lengkeek said “an older file” had been stolen from
Yahoo Contributor Network, an Internet publishing service that Yahoo
purchased about two years ago. It helps writers, photographers and
videographers to sell their work over the Web.

“We are fixing the
vulnerability that led to the disclosure of this data, changing the
passwords of the affected Yahoo! users and notifying the companies whose
users’ accounts may have been compromised,” she said.

AOL said
the Yahoo data published on the Web included valid passwords for 1,699
accounts. Microsoft and Google declined to provide similar numbers.

Other
firms whose customers were at risk include Comcast Corp, Verizon
Communications Inc and ATT, Rapid7 researcher Marcus Carey said. He
estimated that tens of thousands of accounts of users of services other
than Yahoo were affected by the breach.

ATT and Verizon did not have any immediate comment. Officials with Comcast could not be reached.

AOL
Senior Vice President David Temkin said spammers typically use
credentials like the ones stolen from Yahoo to break into email accounts
and use them to send out spam.

“In this case, I think we actually
got ahead of it before the people who stole those accounts were able to
use them,” Temkin said.

The five most popular passwords in the
group were “123456”, “password”, “welcome” and “ninja”, according to an
analysis by anti-virus software maker ESET.

Copyright Thomson Reuters 2012