The company offers more details on the incident that affected 450,000 users

Jul 14, 2012 09:01 GMT  ·  By

After admitting that its Contributor Network was hacked, Yahoo! has come forward with another statement to reveal the security measures that have been implemented to ensure that such incidents will be avoided in the future.

“We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users. In addition, we will continue to take significant measures to protect our users and their data,” the firm wrote on its ycorpblog.

According to Yahoo! the 450,000 email addresses and passwords were provided by writers who joined the Contributor Network – which at the time was called Associated Content – back in May 2010. Apparently, the information was stored in a “standalone” file, the credentials not being utilized to access to the company’s services.

In the meantime, some experts believe that the situation may be much worse.

In an email to Softpedia, security researcher Janne Ahlberg revealed some noteworthy findings regarding the incident.

First of all, the hackers may have possessed access to Yahoo’s systems since at least June 24, 2012.

Furthermore, it’s likely that the database the hackers have breached contains other tables besides the one published online. While the D33Ds Company leaked only the one that contained the passwords, the possibility that they stole other information as well does exist.

“Data seems to contain Paypal details (not password though), information about payments, personal details (address, DOB, phonenumber, email) etc. There could be quite severe risks to the affected users who might use same credentials in other services,” Ahlberg said.

“I was surprised to see that Yahoo did not cover other possible risks in their statement. Why would the hackers breach only one database when they obviously had access to all?”

If the expert’s logical assumptions are correct, the incident might be a bit more critical that the company claims.