Yahoo Inc reported the theft of some 400,000 user names and passwords to access websites including its own, saying that hackers had taken advantage of a security vulnerability in its computer systems.
The security firm Rapid7 said a data file published on the Web contained logins and cleartext passwords for Yahoo as well as several other Internet services, including Google Inc’s Gmail and AOL as well as Microsoft Corp’s Hotmail, MSN and Live sites.
“It’s way bigger than Yahoo,” said Rapid7 researcher Marcus Carey. “We can assume that tens of thousands of people on services outside of Yahoo could be compromised.”
Yahoo apologized for the breach in a written statement, responding to the latest piece of bad news for a company that has lost two chief executives in a year and is struggling to revive stalled revenue growth.
Chairman Alfred Amoroso acknowledged that Yahoo had experienced a “tumultuous” year at its annual shareholder meeting on Thursday morning. Interim CEO Ross Levinsohn told attendees he was optimistic about the company’s progress.
Yahoo spokeswoman Dana Lengkeek did not respond to a request asking her to identify the companies whose credentials were stolen. Officials with Google, AOL and Microsoft could not immediately be reached for comment.
Yahoo did not disclose how many passwords were valid or say how many of the stolen logins were for Yahoo’s sites.
Lengkeek said “an older file” had been stolen from Yahoo Contributor Network, an Internet publishing service that Yahoo purchased about two years ago. It helps writers, photographers and videographers to sell their work over the Web.
“We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised,” she said.
The theft follows a breach reported last month by the business networking service LinkedIn, which resulted in the release of some 6.4 million member passwords.