450,000 email addresses and plain-text passwords in circulation
A list of over 450,000 email addresses and plain-text passwords, apparently from users of a Yahoo! service, is in circulation on the internet. According to security expert and former hacker Kevin Mitnick, the passwords belong to the little-known VoIP service, Yahoo! Voice.
The information is contained in a 17MB text file and has been released by a group of hackers calling themselves the D33DS Company. Access to the original information is said to have been achieved through use of an SQL injection vulnerability, where databases are accessed through inadequately filtered parameters passing through the web front end.
Whether the passwords were originally stored as plain text in the database or if the hackers had already cracked hashed passwords to produce the file is unclear. The latter would mean that the 450,000 records are just those for which the hackers were able to identify the hashed passwords plain text equivalent, and that, in turn, would also mean that the actual extent of stolen data could be even higher. Yahoo! has yet to answer requests for comment.