Security & Privacy

Yahoo's password leak: What you need to know (FAQ)

Yahoo has just become the latest big online service to suffer a major password breach. While the number of affected users is far smaller than in the last big exposure -- that would be the password hack at LinkedIn last month, which exposed 6.5 million user passwords -- the attack is a big black eye for Yahoo and a potential hazard to the 450,000 or so people whose log-in information is now flapping in the breeze.

So here's CNET's quick guide to the Yahoo password fumble and what you need to do.

What, exactly, went wrong? … Read more

Yahoo password breach shows we're all really lazy

I'm going to say it. Lame! That's what this Yahoo password leak is. Really, Yahoo? Shame!

A group of hackers say they used a common attack, known as SQL injection, to grab 450,000 passwords from a Yahoo database, and they released them to the Web last night. The passwords were stored in plain text and not obscured using a hashing technique, which is standard practice for companies that handle sensitive user data.

I've asked Yahoo to comment on why the company didn't hash the passwords, but so far it's only released a statement confirming … Read more

Android forum site hacked; data swiped on 1 million users

Phandroid is urging members of its Android forums to change their passwords immediately after discovering that the server hosting the forum site was hacked this week, ZDNet reported today.

The data includes the user names, e-mail addresses, hashed passwords, and registration IP addresses of the forums' more than 1 million users. To change your password, go to UserCP, or use the "forgot your password?" page. As always, if you use the same e-mail address and password combination on other accounts, change those too.

A community manager for the site posted the news earlier this week, informing members that … Read more

Top domains and passwords compromised by Yahoo breach

The breach of one of Yahoo's sites reignited concerns over the vulnerability of the favorite Web sites that we visit.

But in reality, roughly 450,000 login credentials were compromised -- a small number relative to the total users on the Internet. Yahoo said less than 5 percent of the accounts had valid passwords.

The following is a list of the top 20 e-mail domains and frequently used passwords that were hit, as compiled by CNET's Declan McCullagh:

Domains 1. Yahoo.com (137,559) 2. Gmail.com (106,873) 3. Hotmail.com (55,148) 4. Aol.com (25,… Read more

Passwords, security, and inertia: A toxic brew

Another day, another batch of passwords swiped, or reused for attacks, or leaked out to the public.

Today, it's Yahoo passwords that have been swiped. Best Buy passwords are being reused for attacks. A month ago, LinkedIn had password issues. We've probably missed a few password security fiascos in between those security stops.

In 2009, a Google security wonk noted that passwords are useless, outdated, and a security risk. Fast-forward three years and you can slap an exclamation point on that statement.

Yet. Nothing. Ever. Happens.

The password system just won't die. I went to a meeting … Read more

Yahoo breach: Swiped passwords by the numbers

If there's one thing to learn from the recent security breach at Yahoo, it's that we need to be more creative with our passwords.

Hackers yesterday exposed more than 450,000 login credentials, which appeared to be gleaned from Yahoo. The hackers said they hoped this would be taken as a wake-up call to the parties responsible for the security of the hacked site, but individuals should also see this as a warning to strengthen their own personal passwords.

CNET's Declan McCullagh wrote a program to analyze the most frequently used passwords and e-mail domains that surfaced … Read more

Hackers post 450K credentials pilfered from Yahoo

Yahoo has been the victim of a security breach that yielded hundreds of thousands of login credentials stored in plain text.

The hacked data, posted to the hacker site D33D Company, contained more than 453,000 login credentials and appears to have originated from the Web pioneer's network. The hackers, who said they used a union-based SQL injection technique to penetrate the Yahoo subdomain, intended the data dump to be a "wake-up call."

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as … Read more

Malware went undiscovered for weeks on Google Play

Security researchers have discovered malware hosted on the Google Play marketplace that went weeks undetected masquerading as games.

Android.Dropdialer, a Trojan that sends costly text messages to premium-rate phone numbers in Eastern Europe, had gone undiscovered for two weeks in the form of two game titles, Symantec researcher Irfan Asrar wrote in a blog post yesterday. The two games -- "Super Mario Bros." and "GTA 3 - Moscow city" -- were uploaded to Google Play on June 24 and generated 50,000 to 100,000 downloads, Asrar said.

"What is most interesting about this … Read more

Formspring disables user passwords in security breach

Formspring has suffered a security intrusion in which some of its user passwords may have been breached, the question-and-answer site warned today.

Formspring, which said it only learned of the network intrusion this morning, responded by disabling all users' passwords.

"We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords," Formspring founder and CEO Ade Olonoh said in a company blog post. "Users will be prompted to change their passwords when they log back into Formspring. "

A Formspring spokesperson told CNET that the company was tipped … Read more