Yahoo has confirmed reports that some 400,000 of its user passwords were stolen in arecent security breach.
The company on Thursday issued a statement confirming that on 11 July, an attacker had breached company systems and lifted the data from archived information related to the Yahoo Contributor Network. The company said that the information included account information from Yahoo and other services.
Earlier in the day, a group of hackers posted the stolen credentials online, claiming that they were not looking to encourage account theft, but rather alert Yahoo and other web application providers to the risks of bad security practices.
While the information covers hundreds of thousands of users, the company contends that only a small number of the lifted passwords will actually work as log-in credentials.
"Of these, less than five per cent of the Yahoo accounts had valid passwords," the company said.
"We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users accounts may have been compromised."
The company is advising all of users to adopt best practices for choosing and maintaining their login credentials.
Security vendors were quick to point to the incident as a call for enterprises to adopt tighter protections on their databases and employ additional management tools.
Slavik Markovich chief technology officer for McAfee's database security division, said that the breach shows the need for companies to keep a close eye on even their old and seldom-accessed data.
"It is often the case that obvious database vulnerabilities, such as weak passwords and default configuration settings, are initially overlooked and never fully remediated," Markovich said.
"An organisation's sensitive information can never be adequately secured if it lacks dedicated tools and processes to gain complete visibility into their databases' security weaknesses and eliminate the opportunity for the bad guys to exploit them."
Mark Bower, vice president with Voltage Security, said that the Yahoo breach reflected a need for companies to place tighter controls on how user credentials are stored and protected.
"This breach just goes to show that even big companies aren’t taking enough steps to protect critical data," Bower said.
"If data is not protected, it is going to be breached at some point."