The company also provided more information about whose passwords had been pilfered.
“We have…now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users,” the company announced in a post to its blog.
Yahoo has offered no specific information about the attack, how it was carried out or even when. It confirmed the attack Thursday.
The hacker group D33Ds Company took responsibility for the breach, saying it had exploited a basic SQL injection vulnerability in a Yahoo service to steal the usernames and passwords associated with 453,000 accounts. The group published the passwords and email addresses on the web.
Yahoo also confirmed that the stolen account credentials belonged to registered users of its Yahoo Contributor Network, which was previously known as Associated Content.
Yahoo Contributor Network is a platform that generates high-volume, low-cost content by letting writers photographers and others share their work with Yahoo members and earn money based on the traffic their content generates. Users who contribute to the network are required to sign in using a Yahoo, Google or Facebook ID.
Associated Content, which was founded in 2005, was bought by Yahoo for just over US$100 million in May 2010. Yahoo renamed the service in late 2011, when it also launched Yahoo Voices, a portal where users access content posted by the Yahoo Contributor Network.
According to Yahoo, only people who registered as providers with Associated Content before the 2010 acquisition were affected by the password theft. “[The] compromised file was a standalone file that was not used to grant access to Yahoo! systems and services,” Yahoo maintained.
Just under a third of the stolen passwords were linked to accounts registered to a yahoo.com email address, security company Rapid7 said last week. Significant chunks of the file, however, were composed of Gmail (23.6 percent of all accounts) and Hotmail (12.2 percent) addresses.
All users with older Associated Content accounts, no matter the email address used, should immediately change the passwords for those email accounts as well as any identical or similar passwords used to secure other online services or websites, security experts have said.