Yahoo! Closes Security Hole That Led To Breach

An anonymous reader writes "Yahoo! has patched the security hole that allowed hackers to access some 450,000 email addresses and passwords associated with Yahoo! Contributor Network and ultimately publish them last week. In the meantime, the group responsible for the hack of the official forum site of technology company NVIDIA has also dumped some user 800 records taken during the breach."

Nothing is every secure

[ManOnline]

Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.

Re:Nothing is every secure

[hcs_$reboot]

Anyone however believes in 100% security will always be a victim of a hack

Pretty off topic in my opinion. Companies are not equal when it comes to security, far from it. Two major distinctions: the way the company was hacked (e.g. SQL injection), and how fast the company fixes the security concern(s). Sony for instance was a good (i.e. bad) example in both categories.

Re:Nothing is every secure

[Billly+Gates]

Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.

Inexcusable!

Any bank that would get robbed that has little to no security should be grilled the same way. Nothing is ever secure so its ok there was no alarm in the safe etc. This reminded me why I no longer use Yahoo anymore and why the company is dying. I used to somewhat feel sorry for them as Google was overated with a marketing swing but it shows poor leadership and management.

An example is YahooChat which I used to use over a decade ago. Then porn spammers came in and bombed you every 3 minutes with check out my titties and this scared every human away to the point where only porn spam bots were in there. There are teen and kid chat rooms where this happened too! People should be in jail for this as this is now pedophilia. Did Yahoo even care? No. for the hell of it 3 years ago I came back to Yahoo chat and the problem was still not fixed and even worse where I would be spammed every 30 seconds. No human is left anymore.

Now comes YahooIM which I still use, but not with a Yahoo client. I get these strange names each time I log in from Digsby by of course my Yahoo account requesting to be my friend. Same porn spammers. I just do not add anyone unless I they have emailed me and let me know ahead of time because every few hours a spammer will come on. Did Yahoo fix it? No.

Evern wonder why Skype is so popular as an IM? Now you know why.

Yahoo lost to Google and Bing. DId Yahoo fix it? No.

If you use Firefox and have YahooMail opened in one tab and browse porn in the other tab your yahoo email will randomly start sending out spam to people. Hairyfeet noticed that too. Did Yahoo fix it? no. ... I wont waste any more slashdotters time other to say stop giving them excuses for their incompetent management and employees. They are incompetent and any company worth as much as Yahoo should have a dedicated security team. There are more issues I wont discuss but only old people whose default homepage has not been changed still use it. The company is dying right now deservingly so and it will probably be gone in a couple years. Nobody seems to care or take their product seriously. It is no surprise they only got off their ass when it hit the news. Yahoo is terrible

Change password again

[Nkwe]

So now that it's patched Yahoo users should change their passwords again. Presumably if your account was on "the list" and you changed your password after the first disclosure, your credentials could have been compromised again - prior to the security hole being closed.

While this may sound obvious, I bet many folks don't realize the distinction between a disclosure announcement and correction of the problem. Many people probably assume that when a massive password disclosure is made, that the problem has already been fixed. In this case apparently not.

Re:Change password again

[arth1]

So now that it's patched Yahoo users should change their passwords again. Presumably if your account was on "the list" and you changed your password after the first disclosure, your credentials could have been compromised again - prior to the security hole being closed.

While this may sound obvious, I bet many folks don't realize the distinction between a disclosure announcement and correction of the problem. Many people probably assume that when a massive password disclosure is made, that the problem has already been fixed. In this case apparently not.

What seems obvious, but which some people obviously don't realise, is that the vulnerable services were taken offline until they were fixed.

Their e-mail made no sense

[slashmydots]

I happened to have joined Associated Content just barely prior to may 2010 so I got one of Yahoo's e-mails on my road runner e-mail account, which is what I used to sign up for AC. It seemed to advise me to change my e-mail password ASAP. AC doesn't know my e-mail address password so I'm not sure I quite understand that one. I'll paste the entire thing below. Does anyone know what they actually stole?! Am I supposed to change my AC account password?

You may have read in press reports that Yahoo! recently confirmed an older file containing approximately 450,000 email addresses and passwords—provided by writers who had joined Associated Content prior to May 2010—was publicly posted on the Internet. This file was a standalone file that was not used to grant access to Yahoo! systems and services. This message is being sent to an email address in this compromised file.

We are taking important steps to address this issue and have now fixed the vulnerability that led to the disclosure of the data and enhanced our underlying security controls. As a non-Yahoo! account holder, we apologize that we cannot provide you a direct means to secure your account. We strongly recommend that you employ the security mechanisms recommended by your email service provider to secure your account.

Additionally, given the high frequency of consumers using the same login information on services across the Internet, we strongly advise users to:

Change their passwords for any account they hold every few months,
Use a different password for each service or website, and
Create passwords using a mixture of characters, symbols, and numbers.


We also suggest that you proactively monitor the activity on any account you have created online. Specifically, be on the lookout for spam originating from your email, and check your sign-in activity from time to time. If you see anything suspicious—like your account was accessed in Romania when you were home in Chicago—you should change your password immediately.

We take security very seriously at Yahoo! and invest heavily in protective measures to ensure the security of our users and their data across all our products. In addition, we will continue to take significant measures to protect our users and their data.

We sincerely apologize for this matter. Yahoo! Inc.

Re:Oh Yahoo

[davidwr]

450,000, with "n" of them people who signed up just to try it out.

The value of "n" is left as speculation for the reader.