Feeds

back to article Yahoo! hack! leaks! 453,000! unencrypted passwords!

A Yahoo! service has apparently succumbed to a simple database attack that leaked 453,000 unencrypted account passwords online. A huge document containing the lifted SQL structures, software variables, usernames and cleartext passwords was linked to from a web forum. In the file, the hackers described the break-in as "a wake-up …

COMMENTS

This topic is closed for new posts.

Page:

This post has been deleted by its author

Silver badge
Flame

Wait, what?

They stored unencrypted passwords? Really?

I'm a feckin' moron and even I don't store unencrypted passwords!

BigYin standard fine should apply (£1,000 per breach) and in this case that's a x5 multiplier due to the seriousness. So Yahoo! should pay £2.265 billion to the relevant authorities. Recovery should begin by asset-stripping the directors.

OK, the above is OTT but the general point applies; only by making the directors directly liable will anything change. Applies to banks etc too.

39
0
Bronze badge
Mushroom

Re: Wait, what?

Yes, I suspect labelling this as criminal negligence is the only way corporations are really going to change their ways of thinking from "meh, we don't care about security as long as it isn't too obviously atrocious and we can roll out the 'never been hacked, one time occurrence, no evidence of serious loss, learn from these mistakes' PR blah when things go wrong" to "I'd better make sure my loyal henchmen really secure this environment because I don't want to go to jail or face a massive fine".

Another sentence here to show I can write shorter ones ;)

15
0
Gold badge
Thumb Up

Re: Wait, what?

"They stored unencrypted passwords? Really? I'm a feckin' moron and even I don't store unencrypted passwords!"

Nicely put.

There's a time and a place for language like "feckin' moron" and this was it.

16
0
FAIL

Re: Wait, what?

I don't consider your reaction Over-The-Top at all. If I'd have done the same back in the military, at the very least I'd be spending time in federal prison being guarded by a bunch of pissed-off Marines. Oh and getting buggered regularly. Frankly, it'd be nice to see the same in the civilian world but I won't hold my breath.

0
1
BkS
FAIL

How many times people?

ENCRYPT, and SALT your HASHES.

2
2
Silver badge
Headmaster

Re: How many times people?

A hash is not an encryption. You should not encrypt your passwords, but generate a salted hash from them.

6
0
Anonymous Coward

Re: How many times people?

My boss often tells me not to bother because it's a waste of my time. I tell him that its literally just a few extra lines of code but he still doesn't want to "waste the time". Needless to say I just say 'ok' and then hash them anyway!

6
0
Bronze badge
Holmes

Re: "My boss often tells me not to bother because it's a waste of my time."

Umm, it's only a few lines of code, just do it. When they come asking why they can't access accounts, you'll know the real reason.

2
0
Bronze badge
Happy

Re: "My boss often tells me not to bother because it's a waste of my time."

Really short attention span on a Thursday - sorry :-)

1
0

Re: How many times people?

I could go for some salted hash about now. Who's with me?

1
0
Facepalm

Face palm...

...who on EARTH are these companies emloying to manage data security?

I think my Grandma could have done a better job.

...and she's been dead for a decade.

11
0
Anonymous Coward

...and she's been dead for a decade.

I thought Yahoo! had been, as well.

10
0
Silver badge
Flame

Yahoo ID is unique across all their services

This can't affect only Yahoo Voices because you don't need a dedicated ID/password to get into it, it uses your general Yahoo ID. So does this mean that once you do something like log into your Yahoo Mail using your Yahoo ID then go to Yahoo Voices you end up with your password replicated to an unencrypted database?

This possibly means that none of their passwords for any of their services are stored encrypted.

Will we get any clear answers? Will we feck.

8
0
Anonymous Coward

Re: Yahoo ID is unique across all their services

My thoughts too.

The 0.4m passwords leaks are possibly only the tip of a huge iceberg.

0
0

Can't wait for Yahoo! The Movie.

1
0
Joke

<cinema trailer bloke's voice>

In a world where exclamation marks are plentiful... A chosen hero goes on an epic adventure of a life time... and dares to ask the question - how is babby formed?

10
1

"Iceberg! Right ahead!"

1
0

How many times are Yahoo! going to mess things up. This certainly won't do their already rock bottoming reputation any good.

2
1
Silver badge
Joke

Welcome Ninja Jesus was my password for a long time.

6
0
Bronze badge
Alert

That's the password on my luggage!

0
0
Facepalm

WTF?

Wait... the passwords were being stored *unencrypted* and *unsalted*, in PLAIN TEXT?

Seriously? Anyone who does this should be taken outside and shot. Repeatedly. Then a few more times to make sure.

4
2
Silver badge

Re: WTF?

Don't forget to use a few silver bullets in the process, as well as a wooden stake through the heart, holy wafers in the mouth and immersion in holy water.

Just to be safe. Sunlight doesn't seem to be as effective as once it was. Damn glittery vampires.

5
0
Thumb Up

Re: WTF?

I want him hung with a knife after that!

0
0

Re: WTF?

"Hanging's too good for him. Burning's too good for him! He should be torn into little bitsy pieces and buried alive! '

-Hanover Fiste

1
0
Silver badge
Facepalm

You don't know where it's been

Prepared statements are easier to code, easier to understand, probably faster, and above all safer. But the world is still full of so-called developers who concatenate their SQL with whatever crap they just got from a web form. And they do it when authenticating passwords, FFS.

These are presumably people who'd pick a sandwich out of a urinal and have it for lunch. The surprising thing is that with this level of stupidity they can put together a piece of code that compiles and runs.

4
0
Anonymous Coward

Re: You don't know where it's been

I don't class myself as any kind of enterprise developer but I found it really hard to believe that anyone anywhere uses concatenation of similar endeavours to form a query string. In ASP/VBScript as a beginner I used sprocs, when I moved on to Java I used prepared statements or, more often, prepared calls and with C# etc it's the same but with ORM libraries in the way.

0
0
Bronze badge

Re: You don't know where it's been

I found it really hard to believe that anyone anywhere uses concatenation of similar endeavours to form a query string

Not only do many people do it, but numerous references recommend it and provide examples. If I were home I'd pull some books off the shelf and provide some choice examples. Hell, here's one, courtesy of Amazon and Search Inside: the O'Reilly Web Database Applications with PHP & MySQL, 2nd ed, by Williams and Lane. Right on page 22, they helpfully show you how to expand PHP variables in a SELECT statement, and say "this feature is used in later chapters to construct SQL statements that are easier to read". Yes, that's so much easier to read than invoking a stored proc that performs an application-specific query using bound variables.

And O'Reilly (still) has a good reputation in technical publishing. Someone new to this area could be forgiven for picking up an O'Reilly book and expecting to get good information.

There's little reason for a language like PHP to have database bindings that provide anything other than stored-procedure execution. But it does (or more precisely the bindings provide a general query interface), and a great many LAMP-based applications embed SQL queries right in the application code. Lots of popular open-source LAMP applications are written that way - in fact, pretty much all of the ones I recall examining.

0
0
Holmes

I'm an OAP geezer, but...

... even I've heard of Colin Percival and scrypt

0
0
Silver badge
Facepalm

Re: I'm an OAP geezer, but...

Well Yahoo haven't heard of little Bobby Tables.

8
0
Unhappy

Why haven't Yahoo told their users?

I logged into my Yahoo mail twice today, nothing. Nothing on the home page either. Thanks Reg, at least /someone/ is on the ball.

1
0
Bronze badge
Facepalm

You would think when Yahoo bought Associated Content this would have been one of the things they checked BEFORE buying them.

0
0
Silver badge

Ridiculous

Hey Yahoo! Did you learn NOTHING from Sony's recent walk of shame? Here, let me spell it out:

DO NOT STORE PASSWORDS IN PLAIN TEXT!!!!!

Did you get that? If you didn't, please report to your nearest cluebat wielding geek to have it beaten into your worthless skulls for further lessons.

2
0
Silver badge

Re: Ridiculous

I suspect it's becuase this is a separate system aquired when they bought the company, and the only way to connect between them is to have Yahoo's server login to this server with your username/passwd.

Not an excuse but possibly an explanantion

0
0
Anonymous Coward

ATT/yahoo

I use to work doing tech support ATT DSL. I would constantly see people with hacked emails account. It did not mater the OS or how you accessed email. When you average 20 calls a day and 5 of them are about hacked emails some thing is up. I suspect that the times Yahoo has been hacked is way more than this.

0
0
Bronze badge

The thing I just cannot get my head round,

operating for as long as they have online - wouldn't you expect a company like Yahoo to be storing it's passwords encrypted? I might not use the VoIP service - but I do use other parts of the Yahoo infrastructure - and if you take that a step further and look at other companies that use the Yahoo infrastructure - eg BTYahoo which AIUI Yahoo hosts on behalf of BT?

This would be like discovering Facebook stores all it's passwords unencrypted too!

0
0
Unhappy

My BT crap is tied to Yahoo! crap

I hope they weren't BT passwords.

BTW did I mention that BT are crap?

3
0
Coat

Isn't someone supposed to post this

...whenever there's a story about SQL injection?

http://xkcd.com/327/

3
0
Anonymous Coward

ah ha!

as someone else pointed out, this is a possible explanation for some of the successful hacks on Yahoo email accounts with a curious lack of vector.

0
0
Bronze badge
Mushroom

123456

what agreat password... I'm reminded of spaceballs.

0
0
Bronze badge
Joke

My password is password

Funnily enough I knew someone who's password was a password, and every servrice he used back then had this "password". He thought he was really smart... I think lots of people do... "Enter password:".... hhaaa ok... "password" - bang your in!

Sort of on a par with the dwarves at moria "Speak freind and enter"...

0
0
Silver badge

Re: "Speak freind and enter"

Not on par at all. It is specified in the film and in the books that it was a mechanism devised in a "simpler time", probably a time of peace and trust.

And besides, it'd take forever to thread an invading army through that itty bitty door - not counting the path to get to it. Finally, it was written in Elvish, and not many folk of that land knew how to read that. Not to mention the possible confusion between "speak, friend" and the other possibility which could be understood as "speak the password, friend", meaning that, if you were a friend, you'd know the password.

So, all in all, pretty secure, even for a fairytale.

1
1
Silver badge

Re: My password is password

Hehe, I use "password" on those stupid websites that insist you log in even though you will only ever use it once.

For real security though, I use "letmein" or "iforgot" because nobody would ever guess those.

0
0
Bronze badge
Coat

Re: "Speak freind and enter"

A time of peace, trust and before the invention of passive IR motion detectors. (The design spec. said it was an automatic door)

0
0
Anonymous Coward

Ex-Y

As an Ex-Y, I'm amazed this has happened. AFAIK, all user accounts start their life in a central API service. The actual properties don't get access to the service, just to a lookup API (which isn't SQL, and has been hardened over many years). As a user of the service, you actually don't get the user's password at all - in fact, none of their security information. All of that is handled by login.yahoo.com, and as a general rules stays put. The user folks also spend a lot of time culling the spammers who spend a lot of time opening Y accounts.

How this service managed to get passwords and store them in a DB is a mystery to me. However, I strongly suspect the only passwords stolen are the ones on the affected service. Of course, if it's Yahoo Voices, Yahoo Voice or something else isn't fully clear yet. I'll be willing to bet at least half the accounts are spam, because they won't have been subject to the same culls as the main user service gets.

This ought to now be a "no one goes home until it's fixed" security event. I never heard of one in 3 years working there, although folklore said they had happened in the past. The local pizza companies better get cooking, because they're gonna get a call any minute...

1
0
Silver badge

Email down?

Seems I can't log in to my web email just now - merely a coincidence?

Still no big deal as I just use it for spam and facebook, which is the same thing really.

1
0
Bronze badge

Share doubt

Their share price hasn't collapsed yet.

I wonder if it will.

And who would be pleased if it did.

0
0
Silver badge
FAIL

lmfao

Yahoo walked away from $33 dollars a share. Still laughing about that one.

0
0
Anonymous Coward

some speculation

Some experts have spculated that this is an old file belonging to the company that yahoo bought. Others have tried some of the usernames/ passwords and found them to not work, lending creedence to the "old passwords from a dead service" idea. It should also be noted that 400K must be a small percentage of thier total users.

0
0

This post has been deleted by its author

Page:

This topic is closed for new posts.