Yahoo says it has fixed the vulnerability that allowed 450,000 user email addresses and passwords to be stolen from its user-generated content service, Yahoo! Voices.
In a blog posting, Yahoo said that the “compromised information was provided by writers who had joined Associated Content prior to May 2010, when it was acquired by Yahoo!. (Associated Content is now the Yahoo! Contributor Network.) This compromised file was a standalone file that was not used to grant access to Yahoo! systems and services.”
The vulnerability has been taken care of, Yahoo said; it’s also put into place “additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users.
“In addition, we will continue to take significant measures to protect our users and their data.”
Yahoo is advising users who joined Associated Content before May 2010 using their Yahoo email address to log into their Yahoo account, where they may be prompted to answer a series of authentication questions to change and validate their credentials.
Earlier in the week, the company confirmed that an “older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords” were stolen July 11.
Security company ESET broke down the Yahoo! Voices data and found that the most common password was “123456,” followed by “password” and “welcome,” according to SecurityNewsDaily, which said the most common password length was eight characters, and fully one-third of the passwords contained only lower-case letters.
“Yahoo! Voices’ administrators made a big mistake storing the passwords in plaintext, but all users need to bolster their own security as well. Make passwords harder to guess by making them more than eight characters long, and pepper them with upper-case letters, numbers and punctuation marks.”