Yesterday (12 July 2012) a hacker group D33ds Company claimed responsibility for attacking a Yahoo service via a union-based SQL injection and exposing 453,492 plain text login credentials. And today Yahoo confirms that its 400, 000 accounts are hacked.
The published credentials apparently belong to Yahoo!'s VoIP service, Yahoo! Voices, which runs on Yahoo!'s instant messenger. However, D33ds did not reveal the service the credentials came from. The group said it wasn't disclosing that information because it wanted to avoid further damage. What's more, according to a D33d's statement posted to PC World, the attack was supposed to be a wake up call, and not a threat.
"We apologize to affected users," the company said in an email statement. "We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."
The top five passwords in the stolen batch were "123456," "password," "welcome," "ninja" and "abc123," said David Harley, senior research fellow at security firm ESET.