back to article Yahoo! fixes! password! leak! vulnerability!

Yahoo! has fixed the flaw that allowed hackers to scrape the unencrypted passwords of over 450,000 of its customers' accounts. "We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of …

COMMENTS

This topic is closed for new posts.
  1. leexgx

    turning on the sms option makes the password on yahoo limited issue {unless you you the same password on all sites}

    soon as i loged into an New pc that was not at some one els house it forces to me to send an SMS to my phone so i can log in works very well, if i log back in later on it not ask for SMS check

    1. G2
      FAIL

      unfortunately, for yahoo sms auth it is still in beta testing and it can easily be bypassed even if turned on.

      Just log on via yahoo messenger (desktop app), click on the mail icon in ymess and you have Instant mail access without any nagging sms prompts.

      1. Dan 55 Silver badge
        WTF?

        Giving my mobile number to Yahoo

        No, that's not going to happen. Not before this security SNAFU and certainly not after.

    2. Anonymous Coward
      Anonymous Coward

      I shouldn't be required to own a cell phone because some twit

      at an email company can't figure out how to secure HIS databases.

  2. Peter 39
    FAIL

    User

    User, meet open barn door.

    Hey Yahoo!, great that you fixed this one. Now post your audit of all your user-credential databases and their level of security. How many were good and how many remain to be fixed?

  3. h4rm0ny

    "We have fixed the problem" says Yahoo Spokesperson.

    Meanwhile somewhere in the Yahoo database...

    UPDATE user SET password = TO_BASE64(password);

    1. Anonymous Coward
      Joke

      Re: "We have fixed the problem" says Yahoo Spokesperson.

      Actually, I think it reads:

      UPDATE user SET password = TO_ROT13(password);

      1. Alan W. Rateliff, II
        Paris Hilton

        Re: "We have fixed the problem" says Yahoo Spokesperson.

        For added security, we use FOUR ROUNDS of ROT13. Crack that one!

        Paris, crack.

  4. Anonymous Coward
    Anonymous Coward

    Little Bobby Tables at it again

    I guess Yahoo already laid off the intelligent database developers.

    1. Anonymous Coward
      Devil

      Re: Little Bobby Tables at it again

      > I guess Yahoo already laid off the intelligent database developers ..

      No, they sent them to work for RBS, in charge of online security ...

    2. Tom 13

      Re: Little Bobby Tables at it again

      If the breached databases were from the acquisition, and none of the native Yahoo databases were breached, it sounds more like Yahoo failed to perform a code audit when they made the acquisition and the at fault for database mistake twits worked at the acquisition company. Still a major fault for Yahoo, but if those db admins got outsourced, they deserved worse.

      1. Anonymous Coward
        Anonymous Coward

        Re: Little Bobby Tables at it again

        That's closer to the truth. The main user database hashes the passwords using FreeBSD MD5. The fact these passwords were not hashed or encrypted points to it being from a separate database. Still very poor form to ever store such information in the clear though.

  5. Pascal Monett Silver badge

    "we will continue to take significant measures to protect our users and their data"

    Does that mean that they will finally start salting their hashes ?

This topic is closed for new posts.

Other stories you might like