Yahoo confirmed Thursday that hackers broke into the company’s network and stole the login information of about 450,000 individuals who use Yahoo and other popular Internet e-mail services, including Google Inc.’s Gmail, AOL, Verizon.net, and MSN.
The hacker group, which calls itself D33D, broke into a list of the e-mail addresses and passwords of people signed up for the Yahoo Contributor Network, a place for budding writers, photographers, and videographers to publish their work on the Internet. Because users can opt to use an outside e-mail address to join the network, the stolen information included user names and passwords for accounts on a number of e-mail services.
Less than 5 percent of the stolen passwords were valid, Yahoo spokeswoman Dana Lengkeek said in a statement, because only those users whose network passwords matched their e-mail passwords were vulnerable to being hacked.
“We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users, and notifying the companies whose users accounts may have been compromised,” she said. “We encourage users to change their passwords on a regular basis, and also familiarize themselves with our online safety tips at security.yahoo.com.”
Marcus Carey, a researcher at Boston-based data security company Rapid7, said Yahoo might not have taken basic safety precautions such as encrypting passwords. He said the easiest thing an individual can do to avoid being hacked is to change e-mail passwords every 45 to 90 days.
“The key thing is from a corporate perspective: Perhaps invest more in security,” Carey said. “If Yahoo didn’t [encrypt their passwords], they were probably cutting corners on other things.”
There is no way for individuals to know if they were hacked, Carey said, but a password change is probably a good idea. “I would recommend if people know that they use that particular network, change their password,” he said, “and if they feel uneasy about it, change their password anyway.”
Laura Finaldi can be reached at firstname.lastname@example.org.