2012 Yahoo! Voices hack

Last updated
2012 Yahoo! Voices hack
DateJuly 12, 2012 (2012-07-12)
Cause Hack
SuspectsD33ds

Yahoo! Voices, formerly Associated Content, was hacked in July 2012. The hack is supposed to have leaked approximately half a million email addresses and passwords associated with Yahoo! Contributor Network. [1] The suspected hacker group, D33ds, used a method of SQL Injection to penetrate Yahoo! Voice servers. Security experts said that the passwords were not encrypted and the website did not use a HTTPS Protocol, which was one of the major reasons of the data breach. [2] The email addresses and passwords are still available to download in a plaintext file on the hacker's website. The hacker group described the hack as a "wake-up call" for Yahoo! security experts. [3] Joseph Bonneau, a security researcher and a former product analysis manager at Yahoo, said "Yahoo can fairly be criticized in this case for not integrating the Associated Content accounts more quickly into the general Yahoo login system, for which I can tell you that password protection is much stronger." [4]

Contents

Reaction by communities and users

D33DS, the suspected hacker group, said that the hack was a "wake-up call". They said that it was not a threat to Yahoo!, Inc. The IT Security firm TrustedSec.net said that the passwords contained a number of email addresses from Gmail, AOL, Yahoo, and more such websites. [5]

Response from Yahoo

Immediately after the hack, Yahoo!, in a written statement, apologized for the breach. Yahoo! did not disclose how many passwords were valid after the hack, because they said that every minute, 1–3 passwords are changed on their site. [6] Yahoo! said that only 5% of its passwords were stolen during the hack. [7] The hackers' website, d33ds.co, was not available later on Thursday, after the hack. [8] Yahoo! said in a written statement that it takes security very seriously and is working together to fix the vulnerability in its site. Yahoo! said that it was in the process of changing the passwords of the hacked accounts and notifying other companies of the hack. [4] [9]

Controversy

A simple matter had sparked a controversy over Yahoo!. The controversy was sparked because of Yahoo!'s silence about the data breach. After the servers were hacked, Yahoo! did not mail the affected victims, although it was promised earlier. There was no site-wide notifications about the hack, nor did any victim get any type of personal messages detailing how to reset their account passwords from Yahoo. [10]

Related Research Articles

<span class="mw-page-title-main">Yahoo! Mail</span> American email service

Yahoo! Mail is an email service offered by the American company Yahoo, Inc. The service is free for personal use, with an optional monthly fee for additional features. Business email was previously available with the Yahoo! Small Business brand, before it transitioned to Verizon Small Business Essentials in early 2022. Launched on October 8, 1998, as of January 2020, Yahoo! Mail has 225 million users.

The following tables compare general and technical information for a number of notable webmail providers who offer a web interface in English.

<span class="mw-page-title-main">Data breach</span> Intentional or unintentional release of secure information

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

RockYou was a company that developed widgets for MySpace and implemented applications for various social networks and Facebook. Since 2014, it has engaged primarily in the purchases of rights to classic video games; it incorporates in-game ads and re-distributes the games.

<span class="mw-page-title-main">Operation AntiSec</span> Series of cyberattacks conducted by Anonymous and LulzSec

Operation Anti-Security, also referred to as Operation AntiSec or #AntiSec, is a series of hacking attacks performed by members of the hacking group LulzSec and Anonymous, and others inspired by the announcement of the operation. LulzSec performed the earliest attacks of the operation, with the first against the Serious Organised Crime Agency on 20 June 2011. Soon after, the group released information taken from the servers of the Arizona Department of Public Safety; Anonymous would later release information from the same agency two more times. An offshoot of the group calling themselves LulzSecBrazil launched attacks on numerous websites belonging to the Government of Brazil and the energy company Petrobras. LulzSec claimed to retire as a group, but on 18 July they reconvened to hack into the websites of British newspapers The Sun and The Times, posting a fake news story of the death of the publication's owner Rupert Murdoch.

EmailTray is a lightweight email client for the Microsoft Windows operating system. EmailTray was developed by Internet Promotion Agency S.A., a software development d.

<span class="mw-page-title-main">Email hacking</span> Unauthorized access to, or manipulation of, an email account or email correspondence

Email hacking is the unauthorized access to, or manipulation of, an account or email correspondence.

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.

Marcel-Lehel Lazăr, known as Guccifer, is a Romanian hacker responsible for high-level computer security breaches in the U.S. and Romania. Lehel targeted celebrities, Romanian and U.S. government officials, and other prominent persons.

In July 2015, an unknown person or group calling itself "The Impact Team" announced they had stolen the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The hacker(s) copied personal information about the site's user base and threatened to release users' names and personally identifying information if Ashley Madison would not immediately shut down. As evidence of the seriousness of the threat, the personal information about more than 2,500 users was initially released. The company initially denied that their records were insecure, and continued to operate.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

Alex Holden is the owner of Hold Security, a computer security firm. As of 2015, the firm employs 16 people.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

The Internet service company Yahoo! was subjected to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.

Yandex Mail is a Russian free email service developed by Yandex. It was launched on 26 June 2000, and is one of the three largest email services in Runet. The service uses automatic spam filtering, checks for viruses using antivirus software from Dr.Web, and an email translator.

ShinyHunters is a criminal black-hat hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

<span class="mw-page-title-main">2021 Epik data breach</span> Cybersecurity incident

The Epik data breach occurred in September and October 2021, targeting the American domain registrar and web hosting company Epik. The breach exposed a wide range of information including personal information of customers, domain history and purchase records, credit card information, internal company emails, and records from the company's WHOIS privacy service. More than 15 million unique email addresses were exposed, belonging to customers and to non-customers whose information had been scraped. The attackers responsible for the breach identified themselves as members of the hacktivist collective Anonymous. The attackers released an initial 180 gigabyte dataset on September 13, 2021, though the data appeared to have been exfiltrated in late February of the same year. A second release, this time containing bootable disk images, was made on September 29. A third release on October 4 reportedly contained more bootable disk images and documents belonging to the Texas Republican Party, a customer of Epik's.

References

  1. "Yahoo hack steals 400,000 passwords. Is yours on the list?". Christian Science Monitor. Retrieved July 29, 2012.
  2. "Yahoo! Voice fails security 101 as 443,000 passwords are exposed". CNNMoney.com. July 12, 2012. Retrieved July 29, 2012.
  3. The Yahoo! Hack: How to find if you're affected? Publisher: Tapscape.com
  4. 1 2 "Yahoo! fails security 101 as 443,000 passwords are leaked". CNN Money. July 12, 2012. Retrieved July 29, 2012.
  5. "Yahoo Password hack 2012:Breach details". LatinsPost. Retrieved July 29, 2012.
  6. Smith, Catharine (July 12, 2012). "Yahoo! Voice hack puts Gmail, AOL, Lycos into trouble". Huffingtonpost.com. Retrieved July 29, 2012.
  7. "Yahoo hacks leaks 4.5 lakhs of passwords". Business Today . Retrieved July 29, 2012.
  8. "Yahoo! Voice hacked: 4.5 lakh passwords in the net". IBNLive.com. Archived from the original on July 15, 2012. Retrieved July 29, 2012.
  9. "Yahoo Voices is latest to be hacked with 450,000 accounts stolen". Webpronews.com. Retrieved July 29, 2012.
  10. "Yahoo! fails to notify 453k+ of affected victims". Niuzer.com. Archived from the original on 4 March 2016. Retrieved 29 July 2012.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.