Yahoo! fixes! password! leak! vulnerability!
Yahoo! has fixed the flaw that allowed hackers to scrape the unencrypted passwords of over 450,000 of its customers' accounts. "We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of …
This topic is closed for new posts.
turning on the sms option makes the password on yahoo limited issue {unless you you the same password on all sites}
soon as i loged into an New pc that was not at some one els house it forces to me to send an SMS to my phone so i can log in works very well, if i log back in later on it not ask for SMS check
unfortunately, for yahoo sms auth it is still in beta testing and it can easily be bypassed even if turned on.
Just log on via yahoo messenger (desktop app), click on the mail icon in ymess and you have Instant mail access without any nagging sms prompts.
Giving my mobile number to Yahoo
No, that's not going to happen. Not before this security SNAFU and certainly not after.
I shouldn't be required to own a cell phone because some twit
at an email company can't figure out how to secure HIS databases.
User
User, meet open barn door.
Hey Yahoo!, great that you fixed this one. Now post your audit of all your user-credential databases and their level of security. How many were good and how many remain to be fixed?
"We have fixed the problem" says Yahoo Spokesperson.
Meanwhile somewhere in the Yahoo database...
UPDATE user SET password = TO_BASE64(password);
Re: "We have fixed the problem" says Yahoo Spokesperson.
Actually, I think it reads:
UPDATE user SET password = TO_ROT13(password);
Re: "We have fixed the problem" says Yahoo Spokesperson.
For added security, we use FOUR ROUNDS of ROT13. Crack that one!
Paris, crack.
Little Bobby Tables at it again
I guess Yahoo already laid off the intelligent database developers.
Re: Little Bobby Tables at it again
> I guess Yahoo already laid off the intelligent database developers ..
No, they sent them to work for RBS, in charge of online security ...
Re: Little Bobby Tables at it again
If the breached databases were from the acquisition, and none of the native Yahoo databases were breached, it sounds more like Yahoo failed to perform a code audit when they made the acquisition and the at fault for database mistake twits worked at the acquisition company. Still a major fault for Yahoo, but if those db admins got outsourced, they deserved worse.
Re: Little Bobby Tables at it again
That's closer to the truth. The main user database hashes the passwords using FreeBSD MD5. The fact these passwords were not hashed or encrypted points to it being from a separate database. Still very poor form to ever store such information in the clear though.
"we will continue to take significant measures to protect our users and their data"
Does that mean that they will finally start salting their hashes ?
This topic is closed for new posts.
