435,000 Yahoo usernames and passwords hacked (probably from Yahoo acquisition Associated Content)

Update: Yahoo! has confirmed the breach — see their statement below. Check here for information on how to know if your username/password were compromised.

Hacking collective “D33Ds Company” has posted 435,000 sets of usernames and passwords from a Yahoo service, ArsTechnica is reporting. The login credentials are in plaintext and can be stolen or used by anyone.

Confusingly, security company TrustedSec says the affected service is Yahoo! Voice, which they identify as formerly Associated Content. However, there are two Yahoo services with similar names: Yahoo Voice, a telephony product, and Yahoo Voices, the user-generated content service.

In checking the usernames, I was able to ascertain it is actually Yahoo! Voices that was affected.

That’s significant, because 435,000 is similar enough to the 600,000 users Yahoo currently references on the Voices website to conceivably be the contributor database as it existed some months or years in the past.

Which means that if you’ve ever contributed content to Yahoo Voices or Associated Content, you should immediately change your passwords on other services.

My guess right now, although it’s early in the investigation, is that the 435,000 accounts are pre-Yahoo … that they are from Associated Content before Yahoo bought it.

There are three reasons why I’m thinking this way.

First, Yahoo bought the company in mid-2010 … so there has been time to add another 200,000 users. Second, and more important, is that Yahoo Voices is currently using the Yahoo service-wide login that most other Yahoo properties now use. A breach in that login system would result in probably over a hundred million accounts in the wild. Since the leak is relatively small, it makes sense that this was an old password file.

And finally, I tried two of the username/password combinations I found, and neither worked, which makes me even more sure that this is a case of hackers finding an old user account backup.

The released user data is still dangerous, however, since many people do not use unique usernames or passwords for different sites.

And as of 12:06 AM July 12, the file is still available — D33Ds’ server is operating under heavy load and occasionally delivering an error code — but I was able to download the file. The first 100,000 lines contain more than a hundred users named “john.”

As of tonight there is no response from Yahoo on this development. We’ll update when and if Yahoo responds to our request for comment.

In the meantime: change your passwords!

Updated July 12 with Yahoo’s statement:

“At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised yesterday, July 11.  Of these, less than 5% of the Yahoo! accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised.  We apologize to all affected users.  We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.”

Image credit: Aleksiy Mark/ShutterStock