The security details of almost half a million internet users have been compromised, after hackers posted what appear to be login credentials to online accounts. Yahoo has confirmed the security breach.
The material was posted by a hacking collective known as D33Ds Company, according to Ars Technica. The group said in a statement at the bottom of the data that they used a technique known as a union-based SQL injection, which preys on poorly-secured web applications.
The hackers claim the information was gathered from a service on the Yahoo network.
The subdomain may to belong to Yahoo Voices, a contribution service which allows user-generated content to be published online, according to security firm Trusted Sec.
The method attacks sites that do not properly examine text which is entered into search boxes and other input fields. Hackers then inject database commands which trick servers into sharing large amounts of sensitive information.
Experts say the passwords were not encrypted – making them vulnerable for any hacker to immediately gain access to online accounts.
Members of D33Ds say they intend the hack to be used as a “wake-up call.”
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," the hackers said in their statement. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly.”
The latest entries in the information appear to be from accounts created in 2006, which may imply the data is old, or no longer in use.
Android Forums and Formspring were attacked at the same time. They encrypted the passwords that they stored, although there is still a possibility that they could be cracked.
Users are being encouraged to change their passwords immediately, and to check whether they used the same login details for other online services.
It is not yet known whether the three attacks are linked.