Yahoo Confirms E-Mail User Names, Passwords Exposed
Hack reveals lack of basic security standards.
Yahoo has confirmed that 450,000 passwords and user names used for personal e-mail accounts were exposed to hackers
Yahoo's Contributor Network site was the target of D33DS Co.; the group published a list of the names and e-mail passwords. The data was acquired using a SQL injection attack, in which an attacker sends commands to a backend database by concatenating them to query strings.
In a public statement, a company spokesperson acknowledged that "an older file from Yahoo! Contributor Network, previously Associated Content, containing approximately 450,000 Yahoo! and other company usernames and passwords was compromised yesterday, July 11."
The Yahoo Contributor Network is a content publishing site where contributors are paid based on the number of hits to their Web sites. In 2010, Yahoo acquired the service from Associated Content. Security researchers such as TrustedSec had identified Yahoo Voices as the site compromised by the hackers; Voices is among the landing sites for the Yahoo Contributor Network.
TrustedSec recommended that Yahoo e-mail users change their passwords immediately. However, the Yahoo site breach did more than expose the passwords and user names of Yahoo e-mail users. Other e-mail user domains were exposed as well, including some from Microsoft's Hotmail.com, AOL.com, and Google's Gmail.com.
A diagram showing the extent of the e-mail domains possibly exposed can be found at here, in which Jim Walter, manager of McAfee's threat intelligence service, compared the Yahoo breach to the SQL injection attacks that were carried out against social networking sites eHarmony and LinkedIn.
Yahoo stored the now-exposed e-mail passwords and user names in clear text, as well as encrypted text, rendering protection useless, according to a blog post by software security firm Imperva. It's possible this security vulnerability was an issue left over from Yahoo's Associated Content acquisition.
Many of the passwords were examples of the wrong types of passwords to use, such as "123456" and "password," according to Anders Nilsson, CTO at Eurosecure, in a blog post.
Although users may have selected passwords that are easy to guess, Yahoo's site lacked basic security safeguards. For example, the lack of encryption for passwords reflects an insufficient investment in security protocols, according to Philip Lieberman, a cybersecurity expert and president/CEO of Lieberman Software.
"This is a gigantic warning to consumers about trusting their personal information to large companies that don't prioritize security and privacy as business goals of their company," Lieberman wrote in an e-mailed statement. "The nature of this hack points to Yahoo taking the cheap way out for databases via mySQL (free database) and then not even bothering to encrypt or hash passwords. Just as in the Sony hacking scenario, we have another large corporation taking the cheap way out on security and abysmally failing to secure their own systems."
In April of last year, users of Sony PlayStation Network and Qriocity services had their account information exposed by hackers. Microsoft MVP Troy Hunt found a similar pattern of bad passwords created by users in analyzing the Sony hack. That breach also exposed passwords with no cryptographic storage.
Hunt warned against reusing your password on different sites. In comparing the breached Sony data with the Yahoo data, he noted that while it's been more than a year since the Sony breach, "59% of people were still using the exact same password on Yahoo! Voices."