back to article Yahoo! hack! leaks! 453,000! unencrypted passwords!

A Yahoo! service has apparently succumbed to a simple database attack that leaked 453,000 unencrypted account passwords online. A huge document containing the lifted SQL structures, software variables, usernames and cleartext passwords was linked to from a web forum. In the file, the hackers described the break-in as "a wake- …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

  2. The BigYin
    Flame

    Wait, what?

    They stored unencrypted passwords? Really?

    I'm a feckin' moron and even I don't store unencrypted passwords!

    BigYin standard fine should apply (£1,000 per breach) and in this case that's a x5 multiplier due to the seriousness. So Yahoo! should pay £2.265 billion to the relevant authorities. Recovery should begin by asset-stripping the directors.

    OK, the above is OTT but the general point applies; only by making the directors directly liable will anything change. Applies to banks etc too.

    1. Anonymous Dutch Coward
      Mushroom

      Re: Wait, what?

      Yes, I suspect labelling this as criminal negligence is the only way corporations are really going to change their ways of thinking from "meh, we don't care about security as long as it isn't too obviously atrocious and we can roll out the 'never been hacked, one time occurrence, no evidence of serious loss, learn from these mistakes' PR blah when things go wrong" to "I'd better make sure my loyal henchmen really secure this environment because I don't want to go to jail or face a massive fine".

      Another sentence here to show I can write shorter ones ;)

    2. Ken Hagan Gold badge
      Thumb Up

      Re: Wait, what?

      "They stored unencrypted passwords? Really? I'm a feckin' moron and even I don't store unencrypted passwords!"

      Nicely put.

      There's a time and a place for language like "feckin' moron" and this was it.

    3. Anonymous Coward
      FAIL

      Re: Wait, what?

      I don't consider your reaction Over-The-Top at all. If I'd have done the same back in the military, at the very least I'd be spending time in federal prison being guarded by a bunch of pissed-off Marines. Oh and getting buggered regularly. Frankly, it'd be nice to see the same in the civilian world but I won't hold my breath.

  3. BkS
    FAIL

    How many times people?

    ENCRYPT, and SALT your HASHES.

    1. Tom 38
      Headmaster

      Re: How many times people?

      A hash is not an encryption. You should not encrypt your passwords, but generate a salted hash from them.

      1. Anonymous Coward
        Anonymous Coward

        Re: How many times people?

        My boss often tells me not to bother because it's a waste of my time. I tell him that its literally just a few extra lines of code but he still doesn't want to "waste the time". Needless to say I just say 'ok' and then hash them anyway!

        1. Spoonsinger
          Holmes

          Re: "My boss often tells me not to bother because it's a waste of my time."

          Umm, it's only a few lines of code, just do it. When they come asking why they can't access accounts, you'll know the real reason.

          1. Spoonsinger
            Happy

            Re: "My boss often tells me not to bother because it's a waste of my time."

            Really short attention span on a Thursday - sorry :-)

      2. Uncle Siggy

        Re: How many times people?

        I could go for some salted hash about now. Who's with me?

  4. nuked
    Facepalm

    Face palm...

    ...who on EARTH are these companies emloying to manage data security?

    I think my Grandma could have done a better job.

    ...and she's been dead for a decade.

    1. Anonymous Coward
      Anonymous Coward

      ...and she's been dead for a decade.

      I thought Yahoo! had been, as well.

  5. Dan 55 Silver badge
    Flame

    Yahoo ID is unique across all their services

    This can't affect only Yahoo Voices because you don't need a dedicated ID/password to get into it, it uses your general Yahoo ID. So does this mean that once you do something like log into your Yahoo Mail using your Yahoo ID then go to Yahoo Voices you end up with your password replicated to an unencrypted database?

    This possibly means that none of their passwords for any of their services are stored encrypted.

    Will we get any clear answers? Will we feck.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yahoo ID is unique across all their services

      My thoughts too.

      The 0.4m passwords leaks are possibly only the tip of a huge iceberg.

  6. adam payne

    Can't wait for Yahoo! The Movie.

    1. LinkOfHyrule
      Joke

      <cinema trailer bloke's voice>

      In a world where exclamation marks are plentiful... A chosen hero goes on an epic adventure of a life time... and dares to ask the question - how is babby formed?

    2. Uncle Siggy

      "Iceberg! Right ahead!"

  7. adam payne

    How many times are Yahoo! going to mess things up. This certainly won't do their already rock bottoming reputation any good.

  8. Don Jefe
    Joke

    Welcome Ninja Jesus was my password for a long time.

    1. Adam 1
      Alert

      That's the password on my luggage!

  9. AbortRetryFail
    Facepalm

    WTF?

    Wait... the passwords were being stored *unencrypted* and *unsalted*, in PLAIN TEXT?

    Seriously? Anyone who does this should be taken outside and shot. Repeatedly. Then a few more times to make sure.

    1. Tom 13

      Re: WTF?

      Don't forget to use a few silver bullets in the process, as well as a wooden stake through the heart, holy wafers in the mouth and immersion in holy water.

      Just to be safe. Sunlight doesn't seem to be as effective as once it was. Damn glittery vampires.

    2. Goobertee
      Thumb Up

      Re: WTF?

      I want him hung with a knife after that!

    3. Cubical Drone

      Re: WTF?

      "Hanging's too good for him. Burning's too good for him! He should be torn into little bitsy pieces and buried alive! '

      -Hanover Fiste

  10. Kubla Cant
    Facepalm

    You don't know where it's been

    Prepared statements are easier to code, easier to understand, probably faster, and above all safer. But the world is still full of so-called developers who concatenate their SQL with whatever crap they just got from a web form. And they do it when authenticating passwords, FFS.

    These are presumably people who'd pick a sandwich out of a urinal and have it for lunch. The surprising thing is that with this level of stupidity they can put together a piece of code that compiles and runs.

    1. Anonymous Coward
      Anonymous Coward

      Re: You don't know where it's been

      I don't class myself as any kind of enterprise developer but I found it really hard to believe that anyone anywhere uses concatenation of similar endeavours to form a query string. In ASP/VBScript as a beginner I used sprocs, when I moved on to Java I used prepared statements or, more often, prepared calls and with C# etc it's the same but with ORM libraries in the way.

      1. Michael Wojcik Silver badge

        Re: You don't know where it's been

        I found it really hard to believe that anyone anywhere uses concatenation of similar endeavours to form a query string

        Not only do many people do it, but numerous references recommend it and provide examples. If I were home I'd pull some books off the shelf and provide some choice examples. Hell, here's one, courtesy of Amazon and Search Inside: the O'Reilly Web Database Applications with PHP & MySQL, 2nd ed, by Williams and Lane. Right on page 22, they helpfully show you how to expand PHP variables in a SELECT statement, and say "this feature is used in later chapters to construct SQL statements that are easier to read". Yes, that's so much easier to read than invoking a stored proc that performs an application-specific query using bound variables.

        And O'Reilly (still) has a good reputation in technical publishing. Someone new to this area could be forgiven for picking up an O'Reilly book and expecting to get good information.

        There's little reason for a language like PHP to have database bindings that provide anything other than stored-procedure execution. But it does (or more precisely the bindings provide a general query interface), and a great many LAMP-based applications embed SQL queries right in the application code. Lots of popular open-source LAMP applications are written that way - in fact, pretty much all of the ones I recall examining.

  11. Brent Longborough
    Holmes

    I'm an OAP geezer, but...

    ... even I've heard of Colin Percival and scrypt

    1. Dan 55 Silver badge
      Facepalm

      Re: I'm an OAP geezer, but...

      Well Yahoo haven't heard of little Bobby Tables.

  12. andy gibson
    Unhappy

    Why haven't Yahoo told their users?

    I logged into my Yahoo mail twice today, nothing. Nothing on the home page either. Thanks Reg, at least /someone/ is on the ball.

  13. Not That Andrew
    Facepalm

    You would think when Yahoo bought Associated Content this would have been one of the things they checked BEFORE buying them.

  14. sisk

    Ridiculous

    Hey Yahoo! Did you learn NOTHING from Sony's recent walk of shame? Here, let me spell it out:

    DO NOT STORE PASSWORDS IN PLAIN TEXT!!!!!

    Did you get that? If you didn't, please report to your nearest cluebat wielding geek to have it beaten into your worthless skulls for further lessons.

    1. Yet Another Anonymous coward Silver badge

      Re: Ridiculous

      I suspect it's becuase this is a separate system aquired when they bought the company, and the only way to connect between them is to have Yahoo's server login to this server with your username/passwd.

      Not an excuse but possibly an explanantion

  15. Anonymous Coward
    Anonymous Coward

    ATT/yahoo

    I use to work doing tech support ATT DSL. I would constantly see people with hacked emails account. It did not mater the OS or how you accessed email. When you average 20 calls a day and 5 of them are about hacked emails some thing is up. I suspect that the times Yahoo has been hacked is way more than this.

  16. Andrew Jones 2

    The thing I just cannot get my head round,

    operating for as long as they have online - wouldn't you expect a company like Yahoo to be storing it's passwords encrypted? I might not use the VoIP service - but I do use other parts of the Yahoo infrastructure - and if you take that a step further and look at other companies that use the Yahoo infrastructure - eg BTYahoo which AIUI Yahoo hosts on behalf of BT?

    This would be like discovering Facebook stores all it's passwords unencrypted too!

  17. Lallabalalla
    Unhappy

    My BT crap is tied to Yahoo! crap

    I hope they weren't BT passwords.

    BTW did I mention that BT are crap?

  18. Mister Cheese
    Coat

    Isn't someone supposed to post this

    ...whenever there's a story about SQL injection?

    http://xkcd.com/327/

  19. Anonymous Coward
    Anonymous Coward

    ah ha!

    as someone else pointed out, this is a possible explanation for some of the successful hacks on Yahoo email accounts with a curious lack of vector.

  20. RISC OS
    Mushroom

    123456

    what agreat password... I'm reminded of spaceballs.

  21. RISC OS
    Joke

    My password is password

    Funnily enough I knew someone who's password was a password, and every servrice he used back then had this "password". He thought he was really smart... I think lots of people do... "Enter password:".... hhaaa ok... "password" - bang your in!

    Sort of on a par with the dwarves at moria "Speak freind and enter"...

    1. Pascal Monett Silver badge

      Re: "Speak freind and enter"

      Not on par at all. It is specified in the film and in the books that it was a mechanism devised in a "simpler time", probably a time of peace and trust.

      And besides, it'd take forever to thread an invading army through that itty bitty door - not counting the path to get to it. Finally, it was written in Elvish, and not many folk of that land knew how to read that. Not to mention the possible confusion between "speak, friend" and the other possibility which could be understood as "speak the password, friend", meaning that, if you were a friend, you'd know the password.

      So, all in all, pretty secure, even for a fairytale.

      1. Allan George Dyer
        Coat

        Re: "Speak freind and enter"

        A time of peace, trust and before the invention of passive IR motion detectors. (The design spec. said it was an automatic door)

    2. Goat Jam

      Re: My password is password

      Hehe, I use "password" on those stupid websites that insist you log in even though you will only ever use it once.

      For real security though, I use "letmein" or "iforgot" because nobody would ever guess those.

  22. Anonymous Coward
    Anonymous Coward

    Ex-Y

    As an Ex-Y, I'm amazed this has happened. AFAIK, all user accounts start their life in a central API service. The actual properties don't get access to the service, just to a lookup API (which isn't SQL, and has been hardened over many years). As a user of the service, you actually don't get the user's password at all - in fact, none of their security information. All of that is handled by login.yahoo.com, and as a general rules stays put. The user folks also spend a lot of time culling the spammers who spend a lot of time opening Y accounts.

    How this service managed to get passwords and store them in a DB is a mystery to me. However, I strongly suspect the only passwords stolen are the ones on the affected service. Of course, if it's Yahoo Voices, Yahoo Voice or something else isn't fully clear yet. I'll be willing to bet at least half the accounts are spam, because they won't have been subject to the same culls as the main user service gets.

    This ought to now be a "no one goes home until it's fixed" security event. I never heard of one in 3 years working there, although folklore said they had happened in the past. The local pizza companies better get cooking, because they're gonna get a call any minute...

  23. Paul Crawford Silver badge

    Email down?

    Seems I can't log in to my web email just now - merely a coincidence?

    Still no big deal as I just use it for spam and facebook, which is the same thing really.

  24. Lord Voldemortgage

    Share doubt

    Their share price hasn't collapsed yet.

    I wonder if it will.

    And who would be pleased if it did.

    1. asdf
      FAIL

      lmfao

      Yahoo walked away from $33 dollars a share. Still laughing about that one.

  25. Anonymous Coward
    Anonymous Coward

    some speculation

    Some experts have spculated that this is an old file belonging to the company that yahoo bought. Others have tried some of the usernames/ passwords and found them to not work, lending creedence to the "old passwords from a dead service" idea. It should also be noted that 400K must be a small percentage of thier total users.

  26. This post has been deleted by its author

  27. Anonymous Coward
    Anonymous Coward

    It really should?

    What does it mean by "..tricked the website into handing over more information that it really should.."?

  28. Michael Wojcik Silver badge

    "unsalted one-way encrypted hashes"?

    unsalted one-way encrypted hashes would have been bad enough

    They certainly would be. Surely everyone knows that you should use at least two-way hashes, or possibly three-way (particularly for those secure porn sites).

    Look, Reg writers, I know you have difficulty with this particular area of technology for some reason. But let's try it one more time:

    - Hashes are always one-way, by the pigeonhole principle, except for the special case of "perfect" (collision-free) hashes. A perfect hash is only possible when the domain is no larger than the range, of course, which is theoretically not the case with any decent password system (one that allows passwords, or better passphrases, that are longer than the hash). In principle the set of passwords in a given security domain may be small enough, and the hash size large enough, for a perfect hash; but that's clearly undesirable. So "one-way ... hash" is redundant in this context.

    - Further to the previous point: cryptographic hashes (aka "message digests") are always one-way. That's one of the criteria for cryptographic hashes.

    - Hashing is not encryption. Of course, the phrase "encrypted hashes" is ambiguous here, and it's not clear whether Leyden is conflating hashing and encryption, or suggesting that hashes should be encrypted as well, as a minimum security measure. While there's some ground for arguing that encryption provides additional security, it's a pretty small branch of the attack tree (attacker has the resources to feasibly find preimages for salted hashes, and motivation to do so, but can't extract the key used to encrypt/decrypt them), and the same improvement can be had at less cost simply by adding another salting term that's not stored in the database. (In either case, the attacker has to extract a secret from the application.)

    - Yes, salting ought to be employed, as has been discussed ad nauseum of late, when password hashes are used as the verifier for user credentials. (Of course there are other, better, verification schemes, such as those based on ZKPs, like SRP and PAK-RY, where salting doesn't apply.) So +1 for "unsalted" - but in the end "unsalted hashes", without "one-way encrypted", would have been better.

This topic is closed for new posts.

Other stories you might like