Nearly half a million usernames and passwords apparently taken from a Yahoo service have been posted online by hacking group D33Ds Company last night. The leak, which was picked up by Ars Technica (opens in new tab) , is believed to contain credentials taken from Yahoo's Voices (opens in new tab) social network/blogging service.
Yahoo has yet to comment on the leak or confirm which service was attacked, although it has said that it is preparing a statement.
According to the D33Ds website, the attack was carried out via a union-based SQL injection method. This is a relatively trivial technique which involves inserting code into URL search strings. Security experts at Trusted Sec (opens in new tab) have expressed alarm that “the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public”.
John Koetsier, at VentureBeat (opens in new tab) , believes that the password list may not be up to date. But neither is it necessarily a complete dump of what the hackers uncovered. The long and short of it is that if you have a Yahoo account, it's probably a good idea to change your password and make sure you don't use the same password for different services.
Personally, I can't recommend using an encrypted password locker like LastPass (opens in new tab) enough. This is an online vault for storing long, randomly generated passwords that are unique for each site you use. There's plenty of different tools like this around, including the open source KeePass (opens in new tab) and Clipperz (opens in new tab) , and I'd encourage you to start using one today.