Yahoo Says 3 Servers Hacked Via Shellshock, No Data Taken

Yahoo! Inc. said three of its computer servers were breached by hackers who exploited the Shellshock security hole. No user data was stolen.

“As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network,” Elisa Shyu, a spokeswoman for the Sunnyvale, California-based company, said in an e-mail. “We isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data.”

Yahoo is one of the first major companies to report a Shellshock-related attack since the security hole was publicly disclosed on Sept. 24. The program flaw lets hackers insert extra code into computers running a form of software known as Bash, which could then allow criminals to control the servers remotely.

Security researchers who set up computers to look for hacking attacks after the disclosure said they were expecting criminals to try to exploit the vulnerability to infiltrate companies. The attack on Yahoo was detected by security researcher Jonathan Hall by scanning servers accessible over the Internet. He then said he alerted the company to the breach and publicized his findings on his blog.

Yahoo identified three servers that were attacked, and said the hackers weren’t able to remotely control them.