“It's way bigger than Yahoo,” said Rapid7 researcher Marcus Carey. “We can assume that tens of thousands of people on services outside of Yahoo could be compromised.”
Yahoo apologized for the breach in a written statement, responding to the latest piece of bad news for a company that has lost two chief executives in a year and is struggling to revive stalled revenue growth.
Chairman Alfred Amoroso acknowledged that Yahoo had experienced a “tumultuous” year at its annual shareholder meeting on Thursday morning. Interim CEO Ross Levinsohn told attendees he was optimistic about the company's progress.
Yahoo spokeswoman Dana Lengkeek did not respond to a request asking her to identify the companies whose credentials were stolen. Officials with Google, AOL and Microsoft could not immediately be reached for comment.
Yahoo did not disclose how many passwords were valid or say how many of the stolen logins were for Yahoo's sites.
Lengkeek said “an older file” had been stolen from Yahoo Contributor Network, an Internet publishing service that Yahoo purchased about two years ago. It helps writers, photographers and videographers to sell their work over the Web. “We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised,” she said.
The theft follows a breach reported last month by the business networking service LinkedIn