Feeds

back to article Yahoo! fixes! password! leak! vulnerability!

Yahoo! has fixed the flaw that allowed hackers to scrape the unencrypted passwords of over 450,000 of its customers' accounts. "We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of …

COMMENTS

This topic is closed for new posts.

turning on the sms option makes the password on yahoo limited issue {unless you you the same password on all sites}

soon as i loged into an New pc that was not at some one els house it forces to me to send an SMS to my phone so i can log in works very well, if i log back in later on it not ask for SMS check

0
0
G2
FAIL

unfortunately, for yahoo sms auth it is still in beta testing and it can easily be bypassed even if turned on.

Just log on via yahoo messenger (desktop app), click on the mail icon in ymess and you have Instant mail access without any nagging sms prompts.

1
0
Silver badge
WTF?

Giving my mobile number to Yahoo

No, that's not going to happen. Not before this security SNAFU and certainly not after.

0
0
Anonymous Coward

I shouldn't be required to own a cell phone because some twit

at an email company can't figure out how to secure HIS databases.

1
0
FAIL

User

User, meet open barn door.

Hey Yahoo!, great that you fixed this one. Now post your audit of all your user-credential databases and their level of security. How many were good and how many remain to be fixed?

5
0
Silver badge

"We have fixed the problem" says Yahoo Spokesperson.

Meanwhile somewhere in the Yahoo database...

UPDATE user SET password = TO_BASE64(password);

4
0
Bronze badge
Joke

Re: "We have fixed the problem" says Yahoo Spokesperson.

Actually, I think it reads:

UPDATE user SET password = TO_ROT13(password);

2
1
Paris Hilton

Re: "We have fixed the problem" says Yahoo Spokesperson.

For added security, we use FOUR ROUNDS of ROT13. Crack that one!

Paris, crack.

0
0
Anonymous Coward

Little Bobby Tables at it again

I guess Yahoo already laid off the intelligent database developers.

0
1
Devil

Re: Little Bobby Tables at it again

> I guess Yahoo already laid off the intelligent database developers ..

No, they sent them to work for RBS, in charge of online security ...

0
0
Silver badge

Re: Little Bobby Tables at it again

If the breached databases were from the acquisition, and none of the native Yahoo databases were breached, it sounds more like Yahoo failed to perform a code audit when they made the acquisition and the at fault for database mistake twits worked at the acquisition company. Still a major fault for Yahoo, but if those db admins got outsourced, they deserved worse.

0
0
Anonymous Coward

Re: Little Bobby Tables at it again

That's closer to the truth. The main user database hashes the passwords using FreeBSD MD5. The fact these passwords were not hashed or encrypted points to it being from a separate database. Still very poor form to ever store such information in the clear though.

0
0
Silver badge

"we will continue to take significant measures to protect our users and their data"

Does that mean that they will finally start salting their hashes ?

0
0
This topic is closed for new posts.