On July 12, 2012, D33DS Co. released over 450,000 Yahoo! Voices accounts containing emails and passwords in cleartext. The leak was announced in a Twitter post at https://twitter.com/denjacker/status/223148408800690176. Yahoo! Voices service, previously known as Associated Content, is provided by Yahoo! Inc. to allow writers to submit articles that are then distributed to several Yahoo! owned websites including Yahoo! News. The leak was made possible as Yahoo! Voices service was susceptible to SQL injection attack. D33DS Co. is hoping the leak will serve as a wake-up call for Yahoo! Inc. to re-evaluate their security policy.

While the leak represents only 0.5% of Yahoo! Inc.'s 97 million users on Yahoo! Messenger, the users on the latter service should be wary of the security of their account. One of the most important steps to take is to ensure the password on Yahoo! services only stays on Yahoo! services to avoid compromise to other accounts. In their disclosure posted at http://d33ds.co/archive/yahoo-disclosure.txt, D33Ds Co. stated that the vulnerable parameters used in the SQL injection attack will not be revealed to avoid further damage to Yahoo! Inc. The table below is the list of the leak accounts from Yahoo! Voices.

UPDATE (July 13, 2012): Yahoo! has confirmed the leak with the following full statement as published at TechCrunch:

At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.

This disclosure was mentioned in Wired, InformationWeek, NBC12, IBTimes, Gizmodo (BR), The Christian Science Monitor, Geekosystem, HowToGeek and Examiner.

What should you do?
Use the search box below to find out if your email is in the list. If yes, you are advised to change your password immediately if it is still in use elsewhere. For your privacy, do not enter your complete email in the search box. Try using the first part of your email instead, e.g. example instead of example@domain.com.

If you wish to have your entry removed from the list below, please send an empty email to disclosure@dazzlepod.com with subject "yahoo removal request". The removal is done automatically within 24 hours if you use the same email as the one appeared in the list. This page may be cached for up to 24 hours.

e.g. example@domain.com, example; search results are capped at max. 1M records
ID Email / Username Password
A valid search term is required!

© 2015 Dazzlepod   Privacy   Terms

Dazzlepod is in no way associated with individual or group that has originally leaked the information disclosed on this page. This disclosure is brought to the public to allow affected users to be aware of the leak and take the appropriate steps to secure their accounts and personal information.