backtop

Print 27 comment(s) - last by leviathan05.. on Jul 16 at 4:34 PM
Hackers say data was posted as a warning

It's Sony Corp. (TYO:6758) all over again!  

Hackers with "D33ds Company" have posted 453,000 passwords from Yahoo! Inc.'s (YHOO) Voices -- a part of its news service.  Bafflingly, Yahoo administrators apparently opted for no encryption of the passwords, storing them in plain-text.

Hackers scooped up the passwords using SQL injection, according to TrustedSec.

The hackers write on their text dump:

We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.  There have been many security holes exploited in Web servers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly.

They were at least kind enough not to publish details of how the penetrated Yahoo's servers.

compromised passwords
Some of the 453,000 compromised accounts. [Image Source: TrustedSec]

Yahoo insists that it's not that big a deal, saying that only 5 percent of the user passwords would pass as valid passwords on its other sites, hence most users day-to-day passswords were likely not compromised.

It does apologize, though, for the inconvenience, writing:

At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.  We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised.

Multiple military and government email addresses were found among the users with leaked passwords.

Sources: d33ds co., TrustedSec, TechCrunch


Comments     Threshold


was I on the list ...
By Soulkeeper on 7/12/2012 11:31:45 PM , Rating: 3
Too bad they removed the link, would be nice to check if i'm in it.




RE: was I on the list ...
By YashBudini on 7/13/2012 7:45:40 AM , Rating: 2
Just delete it, Yahoo is the most unsecured email going.


RE: was I on the list ...
By Camikazi on 7/13/2012 9:07:29 AM , Rating: 3
That is why I use a yahoo account for my spam email :)


RE: was I on the list ...
By Omega215D on 7/13/2012 9:12:02 AM , Rating: 2
pretty much. Their portal has become a bloated mess and quite lag prone, not to mention spammers have been able to send their garbage to me without having posted my yahoo mail address. Ever.


RE: was I on the list ...
By Cypherdude1 on 7/13/2012 7:10:28 PM , Rating: 3
quote:
pretty much. Their portal has become a bloated mess and quite lag prone, not to mention spammers have been able to send their garbage to me without having posted my yahoo mail address. Ever.
I also use Yahoo! eMail for spam. Occasionally, Yahoo! does have service problems. However, for the most part, They work OK. It could be because I am using their "Classic" interface.
quote:
Too bad they removed the link, would be nice to check if i'm in it.
D33DS did NOT remove their link or file. They are simply overloaded. I got their file below. You must have both a .GZ and .TAR archive extractor to extract the file. D33DS archived their "yahoo-disclosure.txt" file inside both a .TAR archive and then inside a .GZ file. I recommend the free 7-ZIP utility.
=================================
Due to the high traffic on our server,
the file has been moved (mirrored+compressed).

[Mirrors - Offical]
http://74.208.161.170:81/yahoo-disclosure.tar.gz

If you would like to donate/help with our hosting https://d33ds.co/donations
=================================


RE: was I on the list ...
By heffeque on 7/14/2012 3:35:13 PM , Rating: 2
I'm posting here just to say... "MERCADONA"

LOL!

Best password ever. Mercadona will conquer the entire world!


RE: was I on the list ...
By CZroe on 7/15/2012 7:34:38 AM , Rating: 2
Read the article. It was Yahoo Voices. Not Yahoo Email.


RE: was I on the list ...
By theapparition on 7/13/2012 10:09:13 AM , Rating: 1
It would have been nice to check, I've already changed mine, but again, only use it for spam.

But I don't buy the hackers BS line about a wake up call to Yahoo. They could have grabbed the info and not posted it, but instead they want to potentially hurt other users. I have no problem with "security researchers" who can compromise a system and then let the company and public know. But by dumping proprietary info onto the internet, they're now aholes. Track them down and prosecute.


RE: was I on the list ...
By lolmuly on 7/13/2012 10:41:28 AM , Rating: 5
pfff, you think that any of these companies will listen to somebody sending them a polite little email informing them of their own incompetence? The only thing most big tech corporations respond to in the way of security is public embarrassment.

Bottom line is that Yahoo is the one who posted the passwords by storing them in plain text.


RE: was I on the list ...
By Jedi2155 on 7/13/2012 12:46:48 PM , Rating: 2
The link was still there when I checked it this morning at 2 AM. It was on a redirect with a tarball text file.

I checked to see if I was on it which I thankfully was not. In either case, I'm not sure if these emails are the primary yahoo account one's that you use everywhere, but only one very specific subset of their services.


RE: was I on the list ...
By manicfreak on 7/13/2012 2:48:32 PM , Rating: 2
I think you can use this site to check.
http://labs.sucuri.net/?yahooleak


RE: was I on the list ...
By Cypherdude1 on 7/13/2012 6:56:51 PM , Rating: 2
quote:
I think you can use this site to check. http://labs.sucuri.net/?yahooleak
Do not put your email there. They will IMHO probably put you on a spam list. Although, that's what I use my Yahoo account for.


Interesting analysis of the passwords
By Tony Swash on 7/13/2012 6:48:48 AM , Rating: 3
http://pastebin.com/2D6bHGTa

Apparently 780 people used 123456 as their password and 780 used 'password' as their password




RE: Interesting analysis of the passwords
By YashBudini on 7/13/2012 7:50:13 AM , Rating: 2
But more people used 123456789 than 12345678.

Due diligence hard at work.


RE: Interesting analysis of the passwords
By leviathan05 on 7/13/2012 8:41:14 AM , Rating: 1
I don't use a very secure password on my spam email account. If hackers want to break in and see all of the spam mail I've racked up over the years, they're welcome to it. Anybody who uses yahoo as their primary email is just asking for trouble.


RE: Interesting analysis of the passwords
By mindless1 on 7/13/2012 1:52:22 PM , Rating: 2
What they will do is use your spam email account to SEND spam.


By CZroe on 7/15/2012 7:40:54 AM , Rating: 2
THIS, except that Yahoo Voices != Yahoo Mail.


RE: Interesting analysis of the passwords
By leviathan05 on 7/16/2012 10:11:02 AM , Rating: 2
Send spam to whom? I have no contacts.


RE: Interesting analysis of the passwords
By CZroe on 7/16/2012 10:30:54 AM , Rating: 2
You clearly have no idea how spamming works. They don't want your account to spam your contacts. They want your account to get around roadblocks so that they can spam the world with the "contacts" they already have. You may not care about your account's security but we could all be suffering for it.


By leviathan05 on 7/16/2012 4:34:02 PM , Rating: 2
Clearly you don't understand that it takes a lot more effort to try and steal my account info than it does to create a new email address at Yahoo.


Not really lost...
By lightfoot on 7/12/2012 4:54:19 PM , Rating: 2
quote:
Yahoo Loses 453,000 User Passwords to Hackers

Yahoo! didn't really lose these passwords. They still have them and can continue to use them. The hackers simply found them. Like pirated music, if the usernames and passwords were any good, the hackers surely would have paid for them.




RE: Not really lost...
By YashBudini on 7/13/2012 7:57:33 AM , Rating: 2
quote:
Like pirated music, if the usernames and passwords were any good, the hackers surely would have paid for them.

So if someone else hacked them and sold them for a profit then they'd be worth something? Really?


RE: Not really lost...
By lightfoot on 7/13/2012 11:48:49 AM , Rating: 3
It's a BS line when people claim that pirating music isn't stealing. Just as these hackers stole these usernames and passwords from Yahoo. It's just that Yahoo was stupid enough to leave them lying about almost completely unprotected.

The fact that Yahoo wasn't deprived of anything doesn't mean it wasn't a theft. My previous post was, apparently, a too-subtle joke.

However I wouldn't be surprised in the least if Yahoo regularly sold usernames and passwords to 3rd parties, and that would not have been considered a theft.


RE: Not really lost...
By YashBudini on 7/13/2012 1:57:21 PM , Rating: 2
quote:
The fact that Yahoo wasn't deprived of anything doesn't mean it wasn't a theft.

The fact that Yahoo doesn't place any value on their reputation doesn't mean none exists. And no matter how bad it was, it can always become worse.

I'm deleting my Yahoo account so it doesn't become a launching pad for more spam. The fewer subscribers they have the less they'll earn from advertising.


RE: Not really lost...
By DalisMoustache on 7/13/2012 3:06:54 PM , Rating: 3
As is common with people on the wrong side of the infringement debate your analogy is grossly distorted to the point of being deceitful. A password that has been taken and used or distributed by someone without permission permanently deprives the owner of something extraordinarily valuable: security. The original owner’s password has been rendered worthless to the original owner, and the original owner must create a new one to have anything of value.

Copyright infringement does none of this.


more link for the document
By pakigang on 7/15/2012 4:12:28 AM , Rating: 2
Still a lot
By CZroe on 7/15/2012 7:39:37 AM , Rating: 2
"Yahoo insists that it's not that big a deal, saying that only 5 percent of the user passwords would pass as valid passwords on its other sites, hence most users day-to-day passswords were likely not compromised."

That's still a lot and even the ones that aren't used on other Yahoo sites will certainly help bolster the effectiveness of dictionary attacks in the future.

Also: Possessives usually have apostrophes and you clearly didn't run this through a spell checker. "Passswords?" Come on!




"People Don't Respect Confidentiality in This Industry" -- Sony Computer Entertainment of America President and CEO Jack Tretton











botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki