The beleaguered Internet company Yahoo! has another crisis on its hands: 450,000 user email addresses and passwords apparently stolen from its user-generated content service, Yahoo! Voices.
Even worse, all the passwords were stored unencrypted, or in "plaintext," right out there for anyone to read.
A hacking group calling itself "D33ds Company" posted the data on its own website, which only partially accessible on July 12.
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," read a note at the end of the posting, according to Ars Technica.
"There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."
However, it turned out the Yahoo! subdomain was in fact included by accident, which tipped off the security company TrustedSec that the user data belonged to Yahoo! Voices.
An email seeking comment from Yahoo! was not immediately returned.
Treasure trove of dumb passwords
Any time there's a big password breach, security experts get to work analyzing the data.
Anders Nilsson of the Slovakian security company ESET broke down the Yahoo! Voices data and found that the most common password was "123456," followed by "password" and "welcome." The most common password length was eight characters, and fully one-third of the passwords contained only lower-case letters.
Yahoo! Voices' administrators made a big mistake storing the passwords in plaintext, but all users need to bolster their own security as well. Make passwords harder to guess by making them more than eight characters long, and pepper them with upper-case letters, numbers and punctuation marks.
From crisis to crisis
Yahoo! Voices started out several years ago as Associated Content, a so-called "content farm" that aggregated thousands of hastily written articles in an effort to draw search-engine traffic. Yahoo! bought Associated Content two years ago, and last December rebranded it as Yahoo! Voices and shifted its focus to content generated by Yahoo! users.
(Yahoo! Voices should not be confused with Yahoo! Voice, a voice-over-Internet service associated with Yahoo! Messenger, Yahoo!'s instant-messaging service.)
It's not clear how old the user data is, or whether the decision to store passwords in plaintext was Associated Content's or Yahoo!'s. But Yahoo!'s information-technology team should have corrected the error nonetheless.
Everyone who's ever registered with Associated Content or Yahoo! Voices should change their passwords for that account immediately, and do the same for any other account that used the same password or registered email address.
Yahoo! was one of the early Web's first search engines and quickly grew into an all-encompassing "portal," offering news, email and instant-messaging services, movie listings and virtually anything else you could think of doing online.
But since it refused a buyout offer from Microsoft in 2008, Yahoo!'s been struggling to find its way, with top executives rotating in and out, thousands of employees being laid off and its stock price plummeting.
In May, Yahoo!'s chief executive officer was forced to resign five months into the job after it was learned he'd falsified his résumé to make it appear he had a degree in computer science.
Related on SecurityNewsDaily:
Copyright 2012 SecurityNewsDaily, a TechMediaNetwork company. All rights reserved.