News

Yahoo Confirms Hacker Exposure of 450,000 E-Mail Passwords

• By Kurt Mackie
• 07/12/2012

Yahoo today confirmed the exposure of 450,000 passwords and user names used for personal e-mail accounts.

Yahoo's Contributor Network site was targeted by a group called D33DS Co., which published a list of the names and e-mail passwords. The data reportedly were pried out via a SQL injection attack, in which an attacker sends commands to a backend database by concatenating them to query strings.

In a statement provided to media, a Yahoo spokesperson said that "we confirm that an older file from Yahoo! Contributor Network, previously Associated Content, containing approximately 450,000 Yahoo! and other company usernames and passwords was compromised yesterday, July 11."

The Yahoo Contributor Network is a content publishing site, with contributors getting payment based on their Web hits. Yahoo bought the property from Associated Content in 2010. Security researchers such as TrustedSec early on identified the compromised site as Yahoo Voices, which is one of the landing sites for the Yahoo Contributor Network.

TrustedSec recommended that Yahoo e-mail users change their passwords immediately. However, the Yahoo site breach didn't just expose the passwords and user names of Yahoo e-mail users. Other e-mail user domains were exposed too, such as those from Microsoft's Hotmail.com, AOL.com and Google's Gmail.com.

A schematic showing the extent of the e-mail domains potentially exposed can be found at this McAfee blog post. Commenting in the post, Jim Walter, manager of McAfee's threat intelligence service, compared this latest Yahoo breach to the SQL injection attacks that were carried on against social networking sites eHarmony and LinkedIn.

Yahoo had left the e-mail passwords and users names exposed in clear text, as well as encrypted text, rendering the protection useless, according to a blog post by software security firm Imperva. Possibly, this security vulnerability was an issue left over from Yahoo's Associated Content acquisition.

Many of the passwords were examples of the wrong types of passwords to use, such as "123456" and "password," according to Anders Nilsson, CTO at Eurosecure, in a blog post.

While users may have submitted easy-to-guess passwords, Yahoo's site just lacked some basic security safeguards. For instance, the lack of encryption for passwords reflects an insufficient investment in security protocols, according to Philip Lieberman, a cybersecurity expert and president/CEO of Lieberman Software.

"This is a gigantic warning to consumers about trusting their personal information to large companies that don't prioritize security and privacy as business goals of their company," Lieberman wrote in an e-mailed statement. "The nature of this hack points to Yahoo taking the cheap way out for databases via mySQL (free database) and then not even bothering to encrypt or hash passwords. Just as in the Sony hacking scenario, we have another large corporation taking the cheap way out on security and abysmally failing to secure their own systems."

In April of last year, users of Sony PlayStation Network and Qriocity services had their account information exposed by hackers. Microsoft MVP Troy Hunt found a similar pattern of bad passwords created by users in analyzing the Sony hack. That breach also exposed passwords with no cryptographic storage.

Hunt warned against reusing your password on different sites. In comparing the breached Sony data with the Yahoo data, he noted that while it's been more than a year since the Sony breach, "59% of people were still using the exact same password on Yahoo! Voices."