New York Times reports that on Thursday a major security breach also hit Gmail, AOL, Comcast, MSN, SBC Global, Verizon, Bell South, Live.com, and Hotmail users, not just Yahoo email users.
However, the breach in email security hit over 400,000 Yahoo email users, but also 106,000 Gmail email addresses, 55,000 Hotmail email address, and 25,000 AOL email addresses, as well as other email accounts.
The email accounts were not hacked, but instead, the hackers used these email user names for Yahoo services.
A group of hackers, known as the D33D Company, posted online the user names and passwords for what appeared to be 453,492 accounts belonging to Yahoo, and also Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users.
The hackers then set up a site, in which they listed everyone's accounts that they hit, saying, "We hope that the parties responsible for managing the security of this sub-domain will take this as a wake-up call, and not as a threat." Since then, the site was taken down.
Sucuri, a company that checks for malware, set up a Web site, labs.sucuri.net/?yahooleak, that lets concerned users check if their account details were compromised in the breach.
Sucuri only asks for one's email address, and no other information, to check whether the account was hacked. The program then checks to see if that email address was compromised by the hackers.
Yahoo stated that the email accounts hit belonged to their contributors and fewer than 5% of the passwords were still valid. Google immediately reset the passwords of the accounts hit by the hackers.
The hackers used a hacking technique called an SQL injection, which exploits a software vulnerability, to steal the passwords from various email accounts, but Yahoo warned that the hackers could still be in the systems.
"We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying companies whose user accounts may have been compromised," Ms. Lengkeek said in the statement.
Computer security experts recommend that Yahoo users change their passwords on all site in which they use the same password, because hackers tend to test those same passwords across multiple sites.
They were quick to chastise Yahoo for allowing hackers such an easy way into its systems. "Why haven't organizations like Yahoo got it yet? SQL injection is a known attack," said Mark Bower, a vice president at Voltage Security. "If what is stated is true, it's utter negligence to store passwords in the clear."
It is also recommended that if one uses any of those email accounts and concerned about whether the hackers hit their account and stole their password, to change the password on that account and any other accounts, which use that password.
Sucuri website tells more about the accounts hit, details of most passwords hackers collected, as well as other sites, including government and military websites, hit by the hackers.