On Friday, Yahoo stated in a blog post that it has fixed the vulnerability that recently provided hackers with access to e-mail addresses and passwords from the Yahoo Contributor Network. "We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users," the company said. "In addition, we will continue to take significant measures to protect our users and their data."
"One would hope that includes adding password encryption to avoid a similarly embarrassing situation in the future," notes The Register's Iain Thomson.
"Those whose login data was compromised will be asked to answer a series of challenge questions the next time they try to log in to validate and change account details," writes Threatpost's Anne Saita.
"According to Yahoo! the 450,000 email addresses and passwords were provided by writers who joined the Contributor Network -- which at the time was called Associated Content -- back in May 2010," writes Softpedia's Eduard Kovacs. "Apparently, the information was stored in a 'standalone' file, the credentials not being utilized to access to the company’s services."
"Security experts have been scathing in their criticism of Yahoo, in large part because the passwords were stored in plain text, making the hackers' job of exploiting the stolen accounts a breeze. ... Mark Bower, a data protection expert and executive at Voltage Security, said, 'It's utter negligence to store passwords in the clear,'" writes Computerworld's Gregg Keizer.