Yahoo confirms password leak

MORE than 400,000 Yahoo usernames and passwords were stolen and published online yesterday after hackers exploited a vulnerability in the firm’s computer systems – on the same day that the internet firm held its AGM.

Logins for Google, AOL and Microsoft services were also among those compromised in the attack. The three companies said they required affected users to reset passwords for sites including Gmail, AOL, Hotmail, MSN and Live.com.

Yahoo issued a statement apologising for the breach, the latest setback for a company that has lost two chief executives in a year and is struggling to revive stalled revenue growth.

At the firm’s annual meeting chairman Alfred Amoroso acknowledged that Yahoo had experienced a “tumultuous” year. But interim chief executive Ross Levinsohn told those in attendance that he was optimistic about the company’s progress.

The breach prompted criticism from security experts who said that a major internet firm like Yahoo should do a better job at protecting user data.

“This points to some very lax security practices,” said Rob D’Ovidio, associate professor of criminal justice at Drexel University.

He pointed out that the hackers were able to produce more than 400,000 passwords written in standard text within a day. That indicates that Yahoo either did not encrypt them at all or used an encryption method that was easy to crack, he said.

The most popular passwords in the group were “123456”, “password”, “welcome” and “ninja”, according to an analysis by anti-virus software maker ESET.

Professional networking site LinkedIn was recently criticised for similar failings. Security experts attacked the company for failing to use sophisticated encryption practices to secure its passwords, millions of which were released following a breach last month.