2012 Yahoo Voices hack

Last updated
2012 Yahoo! Voices hack
DateJuly 11, 2012 (2012-07-11)
LocationYahoo! servers
Also known asYahoo Voice hack
Cause SQL injection attack
First reporterTrustedSec
Outcome450,000 usernames and passwords leaked
SuspectsD33Ds Company (hacking group)
WebsiteYahoo! Voices
Passwords were stored unencrypted

In July 2012, Yahoo Voice, a user-generated content platform owned by Yahoo, suffered a major data breach. On July 11, 2012, a hacking group calling itself "D33DS Company" posted a file online containing approximately 450,000 login credentials and passwords from Yahoo Voice users. The data was obtained through a SQL injection attack that exploited vulnerabilities in Yahoo's database servers. [1] [2] [3] [4]

Contents

The Breach

The Yahoo Voices breach occurred on July 12, 2012, when a hacking group calling themselves "D33DS Company" used a union-based SQL injection attack to gain unauthorized access to Yahoo's servers. [5] The attackers were able to extract and publish unencrypted account details, including emails and passwords, for approximately 450,000 user accounts belonging to the Yahoo Voices service. [6]

The compromised passwords were stored in plaintext, without any encryption or hashing protection. [6] This security oversight allowed the attackers to immediately access and publish the raw passwords without needing to crack them, significantly increasing the potential for immediate misuse of the stolen credentials. [5]

D33DS Company announced the leak via a Twitter post, which has since been removed. [6] The hackers also prefaced their password dump with a statement detailing their use of a union-based SQL injection attack to obtain the data. [6] The full dump file containing the compromised user information was made available for download via BitTorrent, allowing for widespread distribution and potential misuse of the stolen credentials. [6]

The breach compromised approximately 450,000 user accounts and the leaked data including usernames and passwords in plaintext. The attack specifically targeted Yahoo Voice, formerly known as Associated Content, which Yahoo had acquired in May 2010 for $100 million (£64.5 million). Using SQL injection techniques, the hackers were able to extract the data from Yahoo's servers and subsequently post the compromised information publicly online. [1] [2] [3] [4]

Yahoo confirmed the breach, stating that "an older file from Yahoo Contributor Network... containing approximately 450,000 Yahoo and other company users' names and passwords was compromised." The company also noted that less than 5% of the Yahoo accounts had valid passwords. [3] According to US security firm Trustedsec, the compromised passwords were associated with a variety of email addresses including those from yahoo.com, gmail.com, and aol.com. [3] [4]

The last entries in the data dump appeared to be linked to IDs created in 2006, suggesting that the compromised database might have been an older one no longer in active use. [4] At the time of the breach, Yahoo claimed to have more than 600,000 contributors to its Voice platform. [4]

Security experts suggested that the most alarming aspect of the attack was that the passwords for the accounts were stored unencrypted. This meant that any hacker could potentially use the stolen email addresses and passwords to access other services, including Yahoo Mail, putting far more accounts at risk than just those directly affected by the Voice breach. [4]

In a statement accompanying the data dump, the hackers said: "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat." They also noted that other security holes had led to previous disclosures and urged Yahoo not to take the vulnerabilities lightly. [1] The breach highlighted significant security flaws in Yahoo's systems, particularly the storage of passwords in plaintext rather than using encryption. This incident came shortly after other major data breaches at companies like LinkedIn, as well as similar attacks on Android Forums and Formspring, raising broader concerns about online security practices at the time. [1] [4]

Response

In response to the breach, Yahoo stated they were "taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users accounts may have been compromised." [3] The company faced criticism for its security practices and failure to adequately protect user data. This breach was one of several major security incidents Yahoo would face in the coming years, culminating in the disclosure of even larger breaches affecting billions of accounts in 2016. [2]

Yahoo! said in a written statement that it takes security very seriously and is working together to fix the vulnerability in its site. Yahoo! said that it was in the process of changing the passwords of the hacked accounts and notifying other companies of the hack. [7] [8]

Controversy

There was no site-wide notifications about the hack, nor did any victim get any type of personal messages detailing how to reset their account passwords from Yahoo. [9] Joseph Bonneau, a security researcher and a former product analysis manager at Yahoo, said "Yahoo can fairly be criticized in this case for not integrating the Associated Content accounts more quickly into the general Yahoo login system, for which I can tell you that password protection is much stronger." [7]

Related Research Articles

In cryptanalysis and computer security, password cracking is the process of guessing passwords protecting a computer system. A common approach is to repeatedly try guesses for the password and to check them against an available cryptographic hash of the password. Another type of approach is password spraying, which is often automated and occurs slowly over time in order to remain undetected, using a list of common passwords.

<span class="mw-page-title-main">SQL injection</span> Computer hacking technique

In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

A password manager is a computer program that allows users to store and manage their passwords for local applications or online services such as web applications, online shops or social media. A web browser generally has a built in version of a password manager. These have been criticized frequently as many have stored the passwords in plaintext, allowing hacking attempts.

Yahoo! Voices, formerly Associated Content (AC), was a division of Yahoo! that focused on online publishing. Yahoo! Voices distributed a large variety of writing through its website and content partners, including Yahoo! News. In early December 2011, its owners Yahoo! announced a major shakeup involving the introduction of a new service, Yahoo! Voices, which would replace the Associated Content site and take on the bulk of its content, while some 75,000 items would be retired under the new site's more stringent content submission rules. On July 2, 2014, Yahoo! announced that it would be shutting down Yahoo! Voices on July 31, 2014 and the Yahoo! Contributor Network at the end of August 2014.

Yahoo Voice was a Voice over Internet Protocol (VoIP), PC-PC, PC-Phone and Phone-to-PC telecommunications service. It was provided by Yahoo via its Yahoo Messenger instant messaging application.

A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information".

RockYou was a company that developed widgets for MySpace and implemented applications for various social networks and Facebook. Since 2014, it has engaged primarily in the purchases of rights to classic video games; it incorporates in-game ads and re-distributes the games.

Teamp0ison was a computer security research group consisting of 3 to 5 core members. The group gained notoriety in 2011/2012 for its blackhat hacking activities, which included attacks on the United Nations, NASA, NATO, Facebook, Minecraft Pocket Edition Forums, and several other large corporations and government entities. TeaMp0isoN disbanded in 2012 following the arrests of some of its core members, "TriCk", and "MLT".

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.

<span class="mw-page-title-main">NullCrew</span>

NullCrew was a hacktivist group founded in 2012 that took responsibility for multiple high-profile computer attacks against corporations, educational institutions, and government agencies.

The 2014 Russian hacker password theft was an alleged hacking incident resulting in the possible theft of over 1.2 billion internet credentials, including usernames and passwords, with hundreds of millions of corresponding e-mail addresses. The data breach was first reported by The New York Times after being allegedly discovered and reported by Milwaukee-based information security company, Hold Security.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

In 2013 and 2014, the American web services company Yahoo was subjected to two of the largest data breaches on record. Although Yahoo was aware, neither breach was revealed publicly until September 2016.

Connected toys are internet-enabled devices with Wi-Fi, Bluetooth, or other capabilities built in. These toys, which may or may not be smart toys, provide a more personalized play experience for children through embedded software that can offer app integration, speech and/or image recognition, RFID functionality, and web searching functions. A connected toy usually collects information about the users either voluntarily or involuntarily, which raises concerns on the topic of privacy. The data collected by the connected toys are usually stored in a database, where companies that produce connected toys can use the data for their own purposes, provided they do so in line with the protections outlined in the Children's Online Privacy Protection Act (COPPA).

CloudPets was an Internet-connected soft toy manufactured by now defunct Spiral Toys that was the subject of numerous security vulnerabilities in February 2017. The plush teddy bear-style toys used Bluetooth to connect to a parent's smartphone to allow distant family members to send voice messages to the toy, and allow children to send voice messages back.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country.

<span class="mw-page-title-main">2021 Epik data breach</span> 2021 cybersecurity incident in America

The Epik data breach occurred in September and October 2021, targeting the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service. More than 15 million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped. The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous. The attackers released an initial 180 gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year. A second release, this time containing bootable disk images, was made on September 29. A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's.

References

  1. 1 2 3 4 Warren, Tom (2012-07-12). "Yahoo Voice website reportedly hacked, over 400,000 usernames and passwords made public". The Verge. Retrieved 2024-10-02.
  2. 1 2 3 Condliffe, Jamie (2016-12-15). "A History of Yahoo Hacks". MIT Technology Review. Retrieved 2024-10-02.
  3. 1 2 3 4 5 "Yahoo investigating exposure of 400,000 passwords". BBC News. 2012-07-12. Retrieved 2024-10-02.
  4. 1 2 3 4 5 6 7 Arthur, Charles (2012-07-12). "Yahoo Voice hack leaks 450,000 passwords". The Guardian. Retrieved 2024-10-02.
  5. 1 2 Bisht, Prabhat; Rauthan, Manmohan Singh; Bisht, Raj Kishore (September 2019). "Component Based Web Application Firewall for Analyzing and Defending SQL Injection Attack Vectors". International Journal of Recent Technology and Engineering. 8 (3): 4183–4190.
  6. 1 2 3 4 5 Mirante, Dennis; Cappos, Justin (2013-09-13). Understanding Password Database Compromises (Technical report). Polytechnic Institute of NYU.
  7. 1 2 "Yahoo! fails security 101 as 443,000 passwords are leaked". CNN Money. July 12, 2012. Retrieved July 29, 2012.
  8. "Yahoo Voices is latest to be hacked with 450,000 accounts stolen". Webpronews.com. Retrieved July 29, 2012.
  9. "Yahoo! fails to notify 453k+ of affected victims". Niuzer.com. Archived from the original on 4 March 2016. Retrieved 29 July 2012.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.