Yahoo! Inc. (YHOO), operator of the biggest U.S. Web portal, said that as many as 450,000 user names and passwords were stolen from one of its sites.
Hackers took a file on July 11 containing login credentials for Yahoo and other accounts, such as Google Inc. (GOOG)'s Gmail, Microsoft Corp. (MSFT)'s Hotmail and AOL Inc. (AOL), from a Yahoo site featuring user articles, videos and slideshows, the company said in an e-mailed statement today.
Yahoo joins a growing list of Internet companies such as LinkedIn Corp. (LNKD), CBS Corp. (CBS)'s Last.fm music site and EHarmony Inc. that have recently had user information compromised.
The lapse happened just before Yahoo's annual shareholder meeting, where interim Chief Executive Officer Ross Levinsohn today said he's seeking a clear strategy for the company as it tries to restore investor confidence and find a permanent CEO. The Sunnyvale, California-based company, which has had five CEOs since early 2009, needs to attract more users and ad dollars as it fends off challenges from Google and Facebook Inc.
"We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised," Yahoo said in the statement. "We apologize to all affected users."
Kate Wesson, a spokeswoman for Yahoo, said the company has 298 million active Yahoo e-mail users worldwide. That means less than one percent of users were affected.
TrustedSec, a Berea, Ohio-based security consultancy, said that a hacker group called D33DS had posted details of 450,000 user accounts on an unencrypted file taken from Yahoo Voices, a site where users can share their own content.
The breached site was formerly known as Associated Content, a portal for user-generated content that Yahoo bought in 2010 and re-branded last year.
Many of the victims may have been Associated Content users who signed up for the service before it was turned into Yahoo Voices, said Kurt Baumgartner, a security researcher at Russian antivirus firm Kaspersky Lab. That likely explains why non-Yahoo e-mail accounts were among the stolen data, as users could sign up for the service with a variety of e-mail accounts, he said.
Google and Microsoft said they had identified which of their users were affected by the Yahoo incident and taken steps to make sure that passwords could be reset.
"Affected users will have to reset their password the next time they try to access their Google account," said Nadja Blagojevic, a spokeswoman for Mountain View, California-based Google.
The hackers, D33DS, made efforts to mask which Yahoo site yielded the stolen passwords, but inadvertently left clues in the file that point to the Yahoo! Voices site as the source of the breach, TrustedSec wrote on its blog.
According to Rapid7 LLC, a computer-security company that analyzed the hacked file, 138,000 of the accounts were Yahoo e- mail addresses, 107,000 were Gmail, 55,000 were Hotmail and nearly 26,000 were AOL.
Yahoo dropped 0.7 percent to $15.69 at the close in New York. The shares have declined 2.7 percent so far this year.