On July 12, 2012, D33DS Co. released over 450,000 Yahoo! Voices accounts containing emails and passwords in cleartext. The leak was announced in a Twitter post at https://twitter.com/denjacker/status/223148408800690176. Yahoo! Voices service, previously known as Associated Content, is provided by Yahoo! Inc. to allow writers to submit articles that are then distributed to several Yahoo! owned websites including Yahoo! News. The leak was made possible as Yahoo! Voices service was susceptible to SQL injection attack. D33DS Co. is hoping the leak will serve as a wake-up call for Yahoo! Inc. to re-evaluate their security policy.
While the leak represents only 0.5% of Yahoo! Inc.'s 97 million users on Yahoo! Messenger, the users on the latter service should be wary of the security of their account. One of the most important steps to take is to ensure the password on Yahoo! services only stays on Yahoo! services to avoid compromise to other accounts. In their disclosure posted at http://d33ds.co/archive/yahoo-disclosure.txt, D33Ds Co. stated that the vulnerable parameters used in the SQL injection attack will not be revealed to avoid further damage to Yahoo! Inc. The table below is the list of the leak accounts from Yahoo! Voices.
UPDATE (July 13, 2012): Yahoo! has confirmed the leak with the following full statement as published at TechCrunch:
What should you do?
Use the search box below to find out if your email is in the list. If yes, you are advised to change your password immediately if it is still in use elsewhere. For your privacy, do not enter your complete email in the search box. Try using the first part of your email instead, e.g. example instead of firstname.lastname@example.org.
If you wish to have your entry removed from the list below, please send an empty email to email@example.com with subject "yahoo removal request". The removal is done automatically within 24 hours if you use the same email as the one appeared in the list. This page may be cached for up to 24 hours.
|ID||Email / Username||Password|
|No account found|