Yahoo! has confirmed and apologised for a hacking attack on its Voice service that has affected about 400,000 users – but it appears the attack may have spread much further than the company’s own servers.
The password hack comes just months after a similar attack left several LinkedIn passwords vulnerable, with security experts warning business users to update and strengthen passcodes.
The leak has soured news of Yahoo’s settlement with Facebook last week over a patent dispute.
In a statement, Yahoo! has confirmed the hack affected usernames and passwords.
“We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users’ names and passwords was stolen yesterday, July 11.”
“We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users’ accounts may have been compromised.”
But according to internet security company Sucuri, Yahoo! email addresses aren’t the only ones affected. Sucuri has now identified several other domains, including over 100,000 from Gmail, 54,000 from Hotmail and 24,600 from AOL.
Sucuri chief technology officer Daniel Cid even confirmed there were passwords included in the data from government accounts.
The leak was originally made public by a hacking group called “D33D”, which posted a full document with all the usernames and passwords. It said the hack should serve as a “wake-up call” to the company.
“There have been many security holes exploited in webservers belonging to Yahoo Inc. that have caused far greater damage than our disclosure,” it said.
Sucuri has set up a website where people can determine if their email address has been hacked.
The hack comes during a relatively quiet year for hacking attempts, after 2011 saw a number of giant companies attacked, including Sony, Nintendo and cryptography token maker RSA.
However, last month LinkedIn suffered a huge blow when Sophos revealed a file containing over six million passwords had been posted to the internet. The company forced many users to change their passwords.