back to article Going! going! pwned? 200! million! Yahoo! logins! leaked! allegedly!

What's claimed to be the login credentials for 200 million Yahoo! accounts is now on sale through a dark web cybercrime shack. The purported user database dump is being touted by someone called Peace – as in peace_of_mind, the same miscreant who previously sold LinkedIn and Yahoo-owned Tumblr logins – at an asking price of 3 …

  1. Lee D Silver badge

    Only time I've ever had a Yahoo login was for an old Geocities account that got converted (it turned from Geocities "username" to Yahoo "username.geo". Last used the Geocities account... god knows.

    Last used the Yahoo account? Never.

    Fortunately for me, the passwords on them are likely to be several generations of password ago and probably the lowest security tier that I ever had. No money associated, no real-world information stored, no sense of loss if it gets hacked.

    Others, though, might not be as fortunate but that's what you get for not moving on from a global multi-billion-dollar company that stores 200m user passwords as an unsalted MD5 hash.

    1. The Original Steve

      @Lee D

      Couldn't agree with you more about your password strategy.

      I've always wondered why something akin to the below isn't more popular:

      - Take a two word or more phrase. E.g. Peanut butter

      - "Peanut butter" is your "weak" password. Used on El Reg forums, things not very important

      - "P3anut Butt3r!" is for email and other medium security services

      - "P3@nuT_8utt3R!" is for banking, PayPal, high security services

      Every year or so, come up with a new phrase and replace your password on anything you STILL USE TODAY.

      Just take a phrase, add three layers of complexity with logic rules. So capitals for the start of every word of tier 2, as well as e's for 3's and a exclamation mark suffix. Tier 3 is the same as tier 2, but a's are @'s, capitalise the first and last letter of the words, underscore for spaces, and swap the B for 8.

      Not saying it's uncrackable, particularly the weakest password (although as it's a phrase then it has lots of characters and a basic dictionary attack would take a while as it's more than one word) - but it does give some defence in depth and it's not too taxing to remember as long as you can recall a phrase and a couple of rules based on your tiers.

      Or is it just you and me?! ;)

      1. Lee D Silver badge

        Yep. But I refer you to XKCD:

        https://xkcd.com/936/

        "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."

      2. P. Lee

        Its probably better to have longer but more easily memorised and very different passwords than variations. Variations are pretty much standard in a dictionary attack.

      3. Michael Strorm Silver badge

        Unfortunately, I seem to remember hearing quite a few years back that "standard 13375p34k" substitutions like your "3 for E", "8 for B", "@ for A" were taken into account by password crackers even then.

        1. Anonymous Custard
          Headmaster

          Plenty of other ways to scramble things up though:

          * Using one of the words reversed.

          * Key shifting on the keyboard.

          * Removing the last # letters from the words (or the first, or a mixture).

          * Adding something site-specific but easy to remember for each site.

          * Set the keyboard to a different language but still type the words in the letters on the keys.

          * Throw in a few specific non-standard symbols in fixed memorable places.

          Mixing those and any number of similar techniques into what's already been stated can turn any fairly regular password or phrase into utter gobbledegook, even if typed in plain text.

      4. Anonymous Coward
        Anonymous Coward

        But, from a machine's point of view "This is my banking password (a super secret one)" is impossible to break, compared to (knowing that you have used "Peanut Butter" in the past) trying every permutation of Peanut Butter, replacing characters with numbers/symbols, which will be trivial.

      5. Dadmin

        "Strengthening" your dictionary word password or phrase by simple special character substitution is almost useless. Those "special" characters are not special at all. Merely substituting so-called special characters that look like their regular alpha cousins is a waste of your time. The latest data fuzzing techniques rip right through them like you had used the normal alpha character. Try again. You're on the right track. A strong password looks like a typewriter threw up on your screen, and if you code; any text string can be memorized. It's just not a issue at all. Basically, if you print out your password and anyone can tell you meant to spell coffee when you have it as (0ff33, then you have failed, young Padwan.

      6. Captain DaFt

        Easiest way to beat a dictionary attack? Don't use dictionary words.

        Make up a word, say... "Kerskuts"*, then add a few random digits and symbols... "93Kerskuts$€+", and job done.

        *A. With my luck, this probably means something horribly offensive in some language. If so, my bad! (Apologies)

        B. Do not use this word, five seconds after I post it, it'll be added to somebody's cracking dictionary.

    2. Crazy Operations Guy

      For passwords at my old job, I'd grab lines from the employee handbook. It'd take a machine eternity to guess that my password was

      "ITP-34.922 - password policies. All passwords must contain"

      60 characters, numbers, and symbols. Yet there is no need to try and remember which ones were converted to uppercase or leet-speak bullshit.

      ON my person systems, my passwords were the file names to songs I like. "Rolling Stones - 03 - (I can't get no) Satisfaction.mp3" or "AC/DC - 07 - Ain't no fun (waitin' round to be a millionaire)" would take a machine quite a long time to figure out, but I can type it out pretty quickly and remember it fully.

      I've also used commonly typed system commands as well, especially ones I would use fairly often, like "ping6 mailer03.mycompany.com". The benefit being that its immune to key stroke sniffers.

      1. Lee D Silver badge

        Every character you add to the alphabet increases the time required to brute-force by 1/alphabet size of the original time (e.g. 1/26th)

        Every normal character you add to the end of an existing password increases the time required to brute-force by the size of the alphabet (e.g. multiply by 26).

        Say you use all the lower ASCII range (unlikely, lots of them aren't even printable, let alone acceptable in a password). That's 128 characters to the power of the length of your password.

        Then say you use only the alphabet. That's 52 to the power of the length of a longer password.

        128^8 = 72057594037927936

        52^10 = 144555105949057024

        An 8-character, all-symbol password takes half the time to guess than a 10-character, only alphabetical letters password.

        In mathematical terms, the exponent here vastly outweighs the mantissa. n^m is much more affected by m as numbers increase than by n.

        Put simply, the more characters you have, the more it swamps whatever silly symbols you decide to add to the alphabet. And, as stated, leet-speak is not even adding a whole character to the alphabet but just trying binary replacements of 'a' with '@' for example - it's even QUICKER to check for than just including @ as a random generic symbol, especially where dictionary attacks are concerned.

        Stop messing about, and get a long, simple password.

  2. Anonymous Coward
    Anonymous Coward

    2012 sounds about right

    That was when my one and only - not used in the previous 10 years - Yahoo email account got hacked and used to spew spam.

    1. Anonymous Coward
      Anonymous Coward

      Re: 2012 sounds about right

      Is that an official credential timestamp? I changed my password a couple months ago and wonder if that means it's sorta kinda OK to leave it alone. I really wanted to neuter the account without going around and informing everyone it wasn't mine anymore but their 2 options for mass forwarding are "Store and forward"-- which I don't want because storing it there leaves it to be found by anyone who gets in whenever-- and "Store and forward and mark as read".

      Come. ON.

      It seems I have little choice but to take and delete everything by POP3 with a cron job running at a frequency roughly proportional to my paranoia.

      p.s. don't shoot me, it's left over from like 2003

      1. Anonymous Coward
        Anonymous Coward

        Re: 2012 sounds about right

        Have you enabled two-step verification?

        1. yoganmahew

          Re: 2012 sounds about right

          "Have you enabled two-step verification?"

          And give them my mobile number aswell? Or root access to my never-been-security-updated android smartfone? (Yes, Samsung, I'm looking at you, you useless bunch of fecks).

    2. yoganmahew

      Re: 2012 sounds about right

      Likewise. Yahoo denied it most vigorously at the time :|

  3. John Sanders
    Facepalm

    Meanwhile....

    "Marissa Mayer, who was hired to turn Yahoo around, has just sold Yahoo's assets in a fire sale for $4.8 billion dollars to Verizon, a mockery of a company which once had a valuation of $140 billion dollars. But we've also just learned that for her expertise Mayer will be collectively paid about $220 million for her efforts in the past four years. That's about 5% of the value of Yahoo!"

    Thought I should mention...

    1. Pascal Monett Silver badge

      Re: Meanwhile....

      Sure, mention it.

      Standard Corporate Procedure, these days. She's far from the first CEO to bilk millions out of driving a company to the ground, and she certainly won't be the last.

      It's private money. If the shareholders are stupid enough to give it away, it is literally in every sense their problem.

      That said, I'll drive a company to the ground for a tenth of the price. Just saying.

      1. Rosie Davies

        Re: Meanwhile....

        "It's private money. If the shareholders are stupid enough to give it away, it is literally in every sense their problem."

        Sort of. Though pension funds and other large institutional investors like to invest in large companies such as Yahoo.Which could mean there's a chance that your pension is a few pennies a year lower because MM has been given a huge payout for driving a company into the ground.

        I theory you could find out and someone'll make the argument that it's your fault for not being aware of every single investment made by every single fund manager in every single account that you have. TBH I'd question the sanity of that argument.

        Rosie

    2. Captain DaFt

      Re: Meanwhile....

      "Marissa Mayer, who was hired to turn Yahoo around, has just sold Yahoo's assets in a fire sale for $4.8 billion dollars to Verizon..."

      Well, hired to run a multi billion dollar company and it was in the contract that she'd receive a multi-million dollar bonus if it was sold while she were running it... factor in a touch of greedy self interest, et voila!

  4. Anonymous Coward
    Anonymous Coward

    Does anyone know if this affects email accounts such as BT, who I believe use Yahoo? Asking for a friend, obviously...

    1. Elmer Phud

      If its the 2012 stuff then possibly.

    2. Anonymous Coward Silver badge

      Factoring in how many BT account have been spewing spam to people on their contact lists since around that time, I'd say it's highly likely.

    3. Dadmin

      It will if they are using the Yahoo! mail servers to store the mail, and probably their own branded front end. AT&T did that over here. I had a very old Yahoo! account, then got some local SBC(formerly PacBell) service, which they are an entity of AT&T, and they "migrated" my email address into the AT&T branded section of Yahoo! Mail. It's quite annoying, because then I had another email address for SBC that I don't use or want, and the one I do, which are all tied together behind the scenes somehow. Anyway, like I said, if they rebrand Yahoo! Mail as BT! Mail, then yes, change that password, straight away.

      I wil mention again I used to contract for Y! for a time. First in the mail property and then in search. Super interesting environment, lots of cool tools to make taking care of huge chunks of systems(like 300,000+ servers when I was there) as easy as you please. I even got to see Marissa up close the day they made the Tumblr purchase. They were all out on the purple carpets they lay out in the courtyard when we had special visitors. Her golden parachute seems obscene, but take into consideration the amount of responsibility she had to hold, and the extra time it will take the next company to consider her as a viable C-level exec. Unless she starts her own company. The pay is crazy up there because it's crazy up there. Leave me in the data center. The people are too much work.

  5. NotBob

    Of course they haven't gotten back with a comment, they're too busy trying to hawk parts of the business again...

  6. WolfFan Silver badge

    Simple passwords

    My new standard way to have a nice, simple, easy-to-remember password for sites where high security is not needed, such as Yahoo! is the Keyser Soze method. Look at the area, pick something in plain sight, use it. Those who don't know that I'm currently reading 'Castles of Steel' and have a HP LaserJet P2055dn sitting one desk over would have a problem guessing the password CastlesHPofP2055Steel. I'll remember it, though.

    No, I don't actually use a password just like that one. I do use passwords created that way.

    For higher security, still a symbol or two or more in there. Yes, it's crackable. But you'd have to really want to get into my stuff.

    And, to the uncultured heathen who know not who Keyser Soze is: thou shalt improve thy movie IQ. Get thee hence to Netflix, most immediately.

    1. Kurt Meyer

      Re: Simple passwords

      @ WolfFan

      "And, to the uncultured heathen who know not who Keyser Soze is: thou shalt improve thy movie IQ. Get thee hence to Netflix, most immediately."

      Keyser Söze? He doesn't exist. He's just "a spook story that criminals tell their kids at night."

      1. WolfFan Silver badge

        Re: Simple passwords

        @Kurt

        I was unaware that Kesyer Soze was really Batman...

    2. Nolveys

      Re: Simple passwords

      [To create passwords for] the likes of Yahoo! is the Keyser Soze method. Look at the area, pick something in plain sight, use it.

      "CashBonfireVisibleFromSpace"

  7. Anonymous Coward
    Anonymous Coward

    Since when is MD5 "easily breakable"?

    Sure, it is susceptible to dictionary attacks, but it isn't like it is reversible. If your password is simple, it could be broken, if it is JDF()*#lk9KKF@ you are safe. I say "could be" because what's the point of trying to crack 200 million Yahoo! passwords, when there are so many breaches from other websites that include plaintext passwords?

    1. Will 28

      Re: Since when is MD5 "easily breakable"?

      If they're using MD5, then they're unlikely to have salted the hash. In that case the passwords can be cracked using rainbow tables, so deriving the password from the hash is easy (even with your random password suggested).

      Why would you do it? My main reason would be that a lot of people have only 2 passwords. The weak one that they use to sign up to services using their email as the userid, and of course the strong one which they use for specific services like online banking etc. They would of course use this for their email password, as they don't want to give out their email password when signing up to new services using their email address.

      1. Vic

        Re: Since when is MD5 "easily breakable"?

        If they're using MD5, then they're unlikely to have salted the hash. In that case the passwords can be cracked using rainbow tables, so deriving the password from the hash is easy

        Aside from your first assumption often being wrong, an attack on MD5 doesn't usually reveal the original password.

        It relies on MD5 collision, so it reveals a password that generates the same hash. It is unlikely that this is the actual password, although it will be sufficient for authentication in this situation.

        Vic.

        1. Will 28

          Re: Since when is MD5 "easily breakable"?

          Well, it's called an assumption for a reason.

          Yes, the collisions mean that you won't necessarily get the correct password, but with 200m you'd get quite a few, and I still hold their more valuable passwords than your standard low quality website hack..

  8. Pen-y-gors

    Nothing new here...

    Given the frequency with which I get phishing e-mails from hacked Yahoo accounts, I assumed that all yahoo account details were automatically published somewhere as soon as they were created.

  9. a_a

    Surely...

    ...MD5 is an algorithm not a protocol.

  10. ecofeco Silver badge

    Too funny

    After reading the news on Yahoo's sale, I was reminded that I still had a Yahoo burner email account so I went and deleted it. I had to google it to learn how.

    Oddly enough, Yahoo sent me a "headline news" email shortly thereafter.

    Yeah, good luck with my account.

    1. yoganmahew

      Re: Too funny

      Did you delete your backup email, your mobile number and your DOB too?

      1. ecofeco Silver badge

        Re: Too funny

        On Yahoo? They never had that info.

  11. Anonymous Coward
    Anonymous Coward

    Well! Great!

    I don't think I can change my password from my phone, and my employer uses a man in the middle attack to re-route SSL traffic through their snoopers. So... maybe I can go home early if I tell my boss it's a security emergency.

    Thanks! Yahoo!

  12. hellwig

    Password Security

    Nothing like a password security scheme that gets messed up by some website's arbitrary and entirely inane password requirements.

    My pattern is "ranD3Om<phrase>", where <phrase> usually relates to the website.

    Well, some websites require a special character, so why not just add it to the ranD3Om? Because not every website allows a special character (I thought it was 2016, guess I was wrong).

    Some sites prevent you from including common words, phrases, etc.. so my American Express password can't have AmEx in it, so now <phrase> is harder to remember ("ridiculousservicecharges" makes the password too long).

    Oh, and then some website came along and required TWO numbers. That's great, but how many damn accounts do I have and won't remember until I need them, then did they get the one number variant or two, did they require a special character or not, yadda yadda.

    In the end, I have many accounts out there and all I do is click "Forgot my Password", because who knows what they forced me to use when I signed up.

  13. frank ly

    If only

    "... and we always encourage our users to ... "

    ... lie about their DOB and any other personal identity related information.

  14. Oengus

    Can they get me into my account?

    I have a Yahoo! account that I went to use after letting it sit idle for 6 months. Yahoo! wants to send a verification e-mail to an account that doesn't exist anymore so I can't get back into my Yahoo! account...

  15. phuzz Silver badge

    I have a Yahoo account because my first webmail was a rocketmail.com address. Rocket Mail then got bought by yahoo and converted into Yahoo mail (just after Hotmail was bought by Microsoft for the same reason).

    I just checked, it's still there, getting about one spam email per month. I could delete it, but at the rate Yahoo are going they'll be deleting every thing in a few years anyway.

  16. heyrick Silver badge

    I use Yahoo!

    I use Yahoo! for general mail and also because I have the option of easy creating spam trap addresses. By doing this, my personal private email stays exactly that. Personal and private. And most of all clean and free of spam.

    Now, what should I set my password to this time? "shitasssecuritybyfuckwits" or "donkeyballshorsestaple" or...? ;-)

  17. rest_in_peace

    peace is a ripper

    the little boy is a liar about yahoo. all here:

    pastebin.com/wV8vAg0u

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like