Yahoo confirmed Thursday that hackers broke into the company’s network and stole the login information of about 450,000 individuals who use Yahoo and other popular Internet email services, including as Google Inc.’s Gmail, AOL, Verizon.net, and MSN.
The hacker group, which calls itself D33D, broke into a list of the email addresses and passwords of people signed up for the Yahoo Contributor Network, a place for budding writers, photographers, and videographers to publish their work on the Internet. Because users can opt to use an outside email address to join the network, the stolen information included user names and passwords for accounts on a number of email services.
Less than five percent of the stolen passwords were valid, Yahoo spokeswoman Dana Lengkeek said in a statement, because only those users whose network passwords matched their email passwords were vulnerable to being hacked.
“We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users, and notifying the companies whose users accounts may have been compromised,” Lengkeek said. “We encourage users to change their passwords on a regular basis, and also familiarize themselves with our online safety tips at security.yahoo.com.”
Marcus Carey, researcher at Boston-based data security company Rapid7, said Yahoo might not have taken basic safety precautions such as encrypting passwords. He said the easiest thing an individual can do to avoid being hacked is to change email passwords every 45 to 90 days.
“The key thing is from a corporate perspective: perhaps invest more in security,” Carey said. “If Yahoo! didn’t [encrypt their passwords], they were probably cutting corners on other things.”
There’s no way to know if you’re hacked, Carey said, but a password change is probably a good idea. “I would recommend if people know that they use that particular network, change their password,” he said, “and if they feel uneasy about it, change their password anyway.”Laura Finaldi can be reached at firstname.lastname@example.org.