Yahoo Breach Extends Beyond Yahoo to Gmail, Hotmail, AOL Users

SAN FRANCISCO — Another month, another major security breach.

Yahoo confirmed Thursday that about 400,000 user names and passwords to Yahoo and other companies were stolen on Wednesday.

A group of hackers, known as the D33D Company, posted online the user names and passwords for what appeared to be 453,492 accounts belonging to Yahoo, and also Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users.

The hackers wrote a brief footnote to the data dump, which has since been taken offline: “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.”

The breach comes just one month after millions of user passwords for LinkedIn, the online social network for professionals, were exposed by hackers who breached its systems. The breaches highlight the ease with which hackers are able to infiltrate systems, even at some of the most widely used and sophisticated technology companies.

Marcus Carey, a researcher at Rapid7, a security company found that among the data were some 106,000 Gmail e-mail addresses, 55,000 Hotmail e-mail addresses and 25,000 AOL e-mail addresses. Those e-mail accounts were not hacked; instead people had used their e-mail address as user names for a Yahoo service.

Sucuri, a company that checks for malware, set up a Web site, labs.sucuri.net/?yahooleak, that lets concerned users check if their account details were compromised in the breach.

Dana Lengkeek, a spokeswoman for Yahoo, said the compromised accounts belonged to Yahoo’s Contributor Network, and that fewer than 5 percent of the passwords posted were still valid.

Chris Gaither, a spokesman for Google, said Google immediately reset passwords for vulnerable Gmail accounts.

The hackers claimed to have stolen the passwords using a hacking technique called an SQL injection, which exploits a software vulnerability.

“We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying companies whose user accounts may have been compromised,” Ms. Lengkeek said in the statement.

Mr. Carey said it was unclear whether Yahoo’s breach had been contained and noted that hackers could still be inside its systems.

Computer security experts recommended that Yahoo users consider changing their passwords to other sites, as hackers tend to test those passwords across multiple sites.

They were quick to chastise Yahoo for allowing hackers such an easy way into its systems. “Why haven’t organizations like Yahoo got it yet? SQL injection is a known attack,” said Mark Bower, a vice president at Voltage Security. “If what is stated is true, it’s utter negligence to store passwords in the clear.”