![](https://www.trustedsec.com/files/Yahoo_Voices.png)
Few details are known at this point however, a recent post over 400,000 plus accounts that have clear text passwords were posted online. The passwords contained a wide variety of email addresses including those from yahoo.com, gmail.com, aol.com, and much more. The affected website was only named as a subdomain of yahoo.com however digging through and searching for the hostname, the attacker forgot to remove the hostname “dbb1.ac.bf1.yahoo.com” (credit to Mubix for the hostname find). Looking through a variety of sources, it appears that the compromised server was likely “Yahoo! Voices” which was formally known as Associated Content (credit to Adam Caudill for the linkage).
![](https://www.trustedsec.com/files/ts-update.png)
The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public. The method for the compromise was apparently a SQL Injection attack to extract the sensitive information from the database.
Below is a small snippet of what the passwords looked like from the leaked document (email addresses redacted):
![](https://www.trustedsec.com/files/compromised_passwords.png)
If you are concerned about your password and for a full list of all of the usernames and passwords compromised; head over to the below link. Note that the filesize is large and will take quite a long time to load.
http://d33ds.co.nyud.net/archive/yahoo-disclosure.txt
Users of Yahoo are advised to change their passwords IMMEDIATELY. Also beware of the same password you may have used on other websites.
UPDATE 1: Note, fixed the title and body to reflect “Yahoo! Voices” not “Voice”. They are two separate applications
UPDATE 2: Yahoo! has confirmed the breach and is resetting the passwords for the users.