The hackers claimed to have stolen the passwords using a hacking technique called an SQL injection, which exploits a software vulnerability. The breach comes just one month after LinkedIn, the online social network for professionals, had millions of user passwords exposed after hackers breached its systems. The breaches highlight the ease with which hackers are able to infiltrate systems, even at some of the most widely-used and sophisticated technology companies. Security researchers at Rapid7, a security company, analyzed the dumped account information and found that it included account information not just for Yahoo users but for Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users. Marcus Carey, a researcher at Rapid7, found that among the data were some 106,000 Gmail accounts, 55,000 Hotmail accounts and 25,000 AOL accounts. Dana Lengkeek, a spokeswoman for Yahoo, said that the compromised accounts belonged to Yahoo's Contributor Network, previously Associated Content, and that fewer than 5 percent of the passwords posted were still valid. "We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying companies whose user accounts may have been compromised," Ms. Lengkeek said in the statement. "We apologize to affected users. We encourage users to change their passwords on a regular basis." Mr. Carey said it was unclear whether Yahoo's breach had been contained and noted that hackers could still be inside its systems.
"Since Yahoo is still investigating this breach there's a possibility that it hasn't been contained yet," Mr. Carey said in an e-mail, adding that people may need to change their passwords multiple times. "You should still go ahead and change it straight away, but you may have to change it for a second time if it turns out attackers are still entrenched in Yahoo's systems." Yahoo users should also consider changing their passwords to other sites for which they might have used the same password, as hackers tend to test those passwords across multiple sites.
Tips on How to Craft a Secure Password
Throw out the dictionary:
Stop using simple passwords. To crack passwords, hackers often use automated tools. Any password that can be found in the dictionary is useless. "The worst passwords are dictionary words or a small number of insertions or changes to words that are in the dictionary," said Mr. Kocher. Consider an easy-to-remember phrase that contains two or three words, or stringing together only the first few letters of each word in a sentence that would be difficult to guess. The longer the password, the better.
Never Use the Same Password Twice:
People tend to use the same password across multiple sites, a fact hackers are all too happy to exploit. While cracking into someone's professional profile on LinkedIn might not have huge consequences, hackers can use that password to crack into, say, someone's e-mail, bank, corporate account or brokerage firm, where sensitive financial and personal details are free for the taking.
Choose Your Security Questions Carefully:
Hackers can easily reset your password using basic information found on the Internet. During the 2008 presidential campaign, a hacker was able to reset Sarah Palin's password using her birth date, ZIP code and information about where she met her husband — the security question on her Yahoo account, the answer to which –"Wasilla High"– was available on the Web. A hacker claimed he had been able to crack into Mitt Romney's Hotmail and Dropbox accounts using the name of his favorite pet.
Store Your Passwords Somewhere Safe:
Do not store your passwords in your e-mail inbox. Consider a password manager, password-protected software that lets you store all your usernames and passwords in one place. Some programs will even create strong passwords for you and automatically log you into sites as long as you provide one master password. Those programs also make it impossible for hackers to crack your accounts using keystroke logging software or a phishing attack. Several password managers work across platforms. Splash Data offers password-management software for Windows and Macs and mobile devices, as does Agile Bits with its 1Password software. Top Ten Reviews has reviews of password managers for PCs.
Change Your Passwords Regularly:
Security experts advise people to regularly switch up their passwords. Setting calendar reminders to change your passwords is not a bad idea. In the case of LinkedIn, it is still unclear how hackers were able to breach its systems or whether they still have access. "This is going to be an ongoing headache for LinkedIn for an extended period of time," said Mr. Kocher.