Yahoo User Details Exposed by Massive SQL Hack

Dennis Faas's picture

Hackers have posted a list of some 453,000 Yahoo user names and their passwords. Although those responsible say they are merely trying to highlight weak security, observers say that some users could indeed be at risk.

The log-in details that were stolen appear to come from Yahoo Voices, a site that is set up so users can post their own blogs and articles. Some of these posts earn their authors a small up-front payment, while those that attract a lot of visitors can earn the writer significant bonus payments.

The hackers apparently gained access to the site's log-in database by means of a technique known as an "SQL injection attack."

SQL (Structured Query Language) is a programming language optimized for use with databases. In this case, the compromised database happened to contain security details of Yahoo user accounts.

Database Security Flaw to Blame

Carrying out such an attack involves creating special code that appears to be a genuine query of the database. However, it is actually designed to fool the system into granting an unauthorized level of access.

SQL injection attacks usually take advantage of a specific security loophole in the way a particular database has been set up.

Yahoo admits that about 600,000 people are registered on the hacked site. That means about three-quarters of all the users there have had their security information stolen by the hackers.

However, observers suggest that many of those who have signed up for that site do not regularly access it. (Source:

The good news is that the newest user accounts, as listed in the stolen details already published by the hackers, appear to have been created in 2006. If that turns out to be true, many of the security details may now be out of date.

The bad news is that the database contained the users' passwords in plain text, rather than in encrypted form. As a result, anyone who sees the stolen data can immediately begin using them, if they wish. (Source:

Yahoo Voices Accounts Exposed

There are two main risks stemming from the publication of this stolen data.

One potential problem is that people could use the published information to try to hijack an account and withdraw any remaining balance of money that a Yahoo Voices writer has earned.

Fortunately, observers say that most accounts probably contain low balances, so that such a tactic would not be worthwhile.

The bigger problem is that fraudsters might use the list of stolen data to attempt to access the victims' accounts on other sites. This might work, because at least some of the victims probably use the same log-in details for their accounts on multiple web pages.

That is a big reason why security experts recommend using different passwords for different sites.

While this isn't always practical, it's a good idea to have a different password, if not a different log-in name, for each site that contains any of your sensitive information.

Rate this article: 
No votes yet