Yahoo voice hacked, 450,000+ plain text user credentials are made public

According to the security expert - One of the Yahoo's user interactive service "Yahoo voices" has been reportedly hacked and user credentials has been made public on the internet.

The report suggests that the user data is from the company's Yahoo Voice calling service, and the security firm has expressed its concern that it was so easily accessed:

The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public. The method for the compromise was apparently a SQL Injection attack to extract the sensitive information from the database.

The website breach has been reportedly took place early Thursday morning. A list titled "Owned and Exposed" which is "brought to you by the D33Ds company" was posted online revealing a number of details for the service inclusing all of the email addresses and passwords for Yahoo Voices.

There are no official response by Yahoo regarding this matter, we have already sent the queries to them.

The website which hosted the hacked document is down, but we were able to get access to the document -- which proves that there are user credentials stored in it.

The people behind this hactivities claimed that it is not permormed as a threat to the company or people. It should be taken as a "wake up call" rather than a threat.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," the document says. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure.

"Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

It's worth noting that TrustSec refers to Yahoo Voice as formerly being Associated Content (the content platform it bought for $100 million) but that is incorrect, that service was later renamed Yahoo Voices.

Looking through a variety of sources, it appears that the compromised server was likely "Yahoo! Voice" which was formally known as Associated Content (credit to Adam Caudill for the linkage).

From that wording, it appears that Yahoo Voice (sans s) was the service targeted but we've contacted TrustSec to confirm that.

It is still to see what Yahoo officially say about it. We will keep you posted.

In the meanwhile, how should Yahoo react? Let us know your take in the comments.