The intruders have recently published the details of over 450,000 Yahoo customers in what they called a wakeup call for the company. The press reports confirm that Yahoo for some reason chose to store the details of hundreds of thousands of login credentials in plain text.




According to the intruders, they used a union-based SQL injection technique in order to get through the Yahoo subdomain. Moreover, they left a comment at the bottom of the information that the parties who carry responsibility for managing the security of this subdomain should take this as a “wake-up call� rather than a threat. If this isn’t a threat, then what is?..

The hackers claimed that there have been a lot of security holes exploited in webservers that belong to Yahoo! Inc., which have caused far greater damage than the disclosure in question. They strongly recommended not to take them lightly, explaining that they didn’t publish subdomain and vulnerable parameters in order to avoid further damage.

The targeted subdomain belonged to Yahoo Voices, which was previously known as Associated Content. It might have been that it was information sitting around on an ancient Associated Content server that wasn’t upgraded when the company got acquired by Yahoo.

Meanwhile, password security is considered a “bit of a cause� right now, if you recall the high-profile password thefts at LinkedIn, eHarmony, and Last.fm. For instance, a couple days ago, Formspring announced that it had to disable the passwords of its entire user base upon discovery of 420,000 hashed passwords appearing to come from the question-and-answer website being posted to a security forum.