Yahoo has confirmed reports that some 400,000 of its user passwords were stolen in security breach.
An attacker breached company systems July 11 and lifted the data from archived information related to the Yahoo Contributor Network, Yahoo confirmed in a statement. The company said that the information included account information from Yahoo and other services.
Earlier in the day, a group of hackers posted the stolen credentials online, claiming that they weren't looking to encourage account theft, but rather alert Yahoo and other web application providers to the risks of bad security practices.
While the information covers hundreds of thousands of users, the company contends that only a small number of the lifted passwords will actually work as log-in credentials.
"Of these, less than 5 percent of the Yahoo accounts had valid passwords," the company said. "We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users accounts may have been compromised."
The company is advising all of users to adopt best practices for choosing and maintaining their login credentials.
This hacking goes beyond Yahoo, however, according to The New York Times:
Security researchers at Rapid7, a security company, analyzed the dumped account information and found that it included account information not just for Yahoo users but for Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users. Marcus Carey, a researcher at Rapid7, found that among the data were some 106,000 Gmail accounts, 55,000 Hotmail accounts and 25,000 AOL accounts.
Security vendors were quick to point to the incident as a call for enterprises to adopt tighter protections on their databases and employ additional management tools.
Slavik Markovich chief technology officer for McAfee's database security division, said that the breach shows the need for companies to keep a close eye on even their old and seldom-accessed data.
"It is often the case that obvious database vulnerabilities, such as weak passwords and default configuration settings, are initially overlooked and never fully remediated," Markovich said. "An organization's sensitive information can never be adequately secured if it lacks dedicated tools and processes to gain complete visibility into their databases' security weaknesses and eliminate the opportunity for the bad guys to exploit them."
Mark Bower, vice president with Voltage Security, said the Yahoo breach reflected a need for companies to place tighter controls on how user credentials are stored and protected.
"This breach just goes to show that even big companies aren’t taking enough steps to protect critical data, and in the UK it’s an obligation under the ICO and EU Data Privacy directive to do so," Bower said. "If data is not protected, it is going to be breached at some point."