Last Thursday news broke that a hacker group leaked around 450,000 account passwords stolen from Yahoo! Voices, a subsection of the Yahoo! site where users submit their own content. In this case it appears that the passwords were stored in their original plaintext and not even hashed. The stolen data is now publicly available for anyone to download and use to attack other cloud services.
Cyber criminals frequently attack social media sites which have large user databases and are perceived to have weaker security, a topic I discussed in length here. Web users often use the same password for multiple sites so the compromise of a password on one social network can give criminals access to higher value services elsewhere. While this is another high profile attack where the hacker chose to publish details of their exploits, we can assume there may be just as many covert breaches where the motives of the attacker require them to keep details of their attack secret.
This latest Yahoo! breach hammers home how websites need to use strong password hashes and better still application level encryption to protect usernames, passwords and other sensitive data. At the same time, web users must remain vigilant with their online identities and refrain from using the same password for multiple sites or risk their identities being compromised.