Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nearly Half a Million Yahoo Passwords Leaked [Updated]

Posted by timothy on from the drop-in-the-bucket dept.

An anonymous reader writes "Some 450,000 email addresses and associated unencrypted passwords have been dumped online by the hacking collective 'D33Ds Company' following the compromise of a Yahoo subdomain. The attackers said that they managed to access the subdomain by leveraging a union-based SQL injection attack, which made the site return more information that it should have. According to Ars Technica, the dump also includes over 2,700 database table or column names and 298 MySQL variables retrieved during the attack." Update: 07/12 20:03 GMT by T :Reader techfun89 adds this update: "Yahoo has confirmed that the usernames and passwords of more than 400,000 accounts were stolen from their servers earlier this week and that data was briefly posted online. The information has since been removed but it wasn't just credentials for Yahoo, but also Gmail, AOL, Comcast, Hotmail, MSN, SBC Global, BellSouth, Verizon and Live.com as well."

14 of 233 comments (clear)

  1. File here: by Anonymous Coward · · Score: 5, Informative

    http://d33ds.co/archive/yahoo-disclosure.txt

    Slashdotted, more info here:
    http://dazzlepod.com/yahoo/

    SQL Injection, in this day and age?

    Fuck yahoo, fuck the cloud, fuck all the big providers...

  2. Re:lastpass by bedroll · · Score: 4, Informative

    This wouldn't terribly shock me, but it also wouldn't concern me much if it were to happen. While the data in a Lastpass vault is quite desirable, it's also much more securely stored than your average data set. Even if someone managed to get a dump of their entire data set they'd have to decrypt each vault individually. If you follow their recommendations then your vault is likely not easy to crack.

    Most of all, I wouldn't be concerned because as Lastpass has shown in the past they take communications seriously. When they noticed strange traffic they immediately told their users to change their vault passwords. This is different than waiting for a whistle blower to come forward and then announcing the breach, or even waiting until an investigation proves there was no breach. That previous incident may have shook the faith of some, but the way the company handled it increased my faith in them.

    Should a major breach happen I would simply change my vault password and then begin changing the passwords I have stored in the vault. Since Lastpass would alert me early on that the breach happened, by the time my vault was cracked - if at all - the passwords within would be useless.

  3. Re:File by Anonymous Coward · · Score: 5, Informative

    http://it.slashdot.org/comments.pl?sid=2974701&cid=40627163

  4. Re:That explains things by deicide · · Score: 4, Informative

    And since I use plenty of folders, Gmail won't do here.

    Gmail works fine with folders. You can set up Thunderbird with Gmail's IMAP and then drag/drop your Yahoo folders onto it to migrate all your old mail.

  5. how about checking by Anonymous Coward · · Score: 2, Informative

    how about checking more than just this leak...

    have a look at http://bit.ly/rosGrL

    regards

    John Jones

  6. Re:lastpass by Anonymous Coward · · Score: 3, Informative

    Better to use keepass then, because there is no central database of passwords for that.

  7. Re:who uses yahoo by Zaiff+Urgulbunger · · Score: 3, Informative

    450000? so about 15 are real email accounts that people use.

    I only skimmed TFA and it seemed to indicate that these were probably related to the Yahoo! Voice service... whatever that is.

    As for their email, probably quite a lot of people do use it as some ISPs use Yayhoo! to supply their own-branded email. BT Internet in the UK for one anyway.

  8. Re:Plaintext passwords again? by Anonymous Coward · · Score: 5, Informative

    SQL injection AGAIN? There's just no damned excuse for it.

    Several people have made similar comments. What worries me is that they are not also slamming them for storing passwords in plaintext AGAIN. User passwords should not be stored anywhere on the system. You store a salt and hash of the password - this is fine for login, but fairly useless for hackers should they get it.

    You don't store just any hash, you should store one that is expensive to compute, by using PBKDF2, bcrypt, scrypt or similar.

  9. Re:Am I missing something...? by JDG1980 · · Score: 4, Informative

    How hard is it to evaluate a string for potential danger?

    Pretty hard, if you don't want to corrupt user data. A botched attempt to do so is how the bogus word "medireview" was created.

    What they really should be doing is using parameterized queries so that the user-input strings cannot be treated as SQL commands, but will always be treated as data.

  10. Re:Plaintext passwords again? by Svippy · · Score: 4, Informative

    What's wrong with users changing passwords every week?

    I'll tell you what's wrong with that: Most users are human, and won't be able to remember their passwords if they change them often. Especially since most people have a handful or more passwords and PINs they have to remember.

    Frequent password changes lead to either simplified passwords with a single short element that changes, or passwords that are written down on a post-it note or similar.

    The greatest enemy of safe authentication is the CFO. After him or her, it's the user. You have to get both to play ball, and you don't do that by annoying either of them.

    Correct, but I think he was pointing out that Bengie wrote 'week passwords' rather than 'weak passwords', i.e. I think the post was meant to be humorous.

    --
    Clicked pie.
  11. Re:File by dsinc · · Score: 4, Informative

    https://d33ds.co/archive/yahoo-disclosure.txt The server is belly up, though, as I write this (7:15am PDT). Please mirror, if you can get your hands on the list. Another list of the compromised accounts (search enabled, no passwords), is here http://dazzlepod.com/yahoo/

  12. Re:File by Thelasko · · Score: 4, Informative

    Does anyone have a link to the leak? You know, I want to check if my password was leaked.

    Here you go.

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  13. Re:lastpass by Bengie · · Score: 4, Informative

    SQL injection is insanely easy to protect against. Your input should NOT be in your command stream

    C# pseudo-syntax
    sql.CommandType=Procedure
    sql.command = "MyStoredProcedure"
    sql.parameters.add("@MyInput",InputValue)


    You will never get an SQL injection through that.(assuming MyInput isn't a string that gets concatenated to dynamic SQL inside the sproc)

    You could even do something like this

    sql.CommandType=Text
    sql.command = "select * from table"
    if(InputValue != null) {
    sql.command += " where table.myfield = @MyInput"
    sql.parameters.add("@MyInput",InputValue) }

    This is also safe from injection

  14. Yep, Yahoo Mail, this goes further than reported by almechist · · Score: 3, Informative

    I have an att.net email account which for some reason has to be accessed through Yahoo, I guess they're corporate partners or something... The point is, I have always protected my email address with religious fervor, and as a result I do not get spam, ever, period, not once. Until today, that is. Make of it what you will, but to me this is just way too much of a coincidence. I strongly suspect it will come out that the hack went deeper and compromised much more than what is currently being reported. To repeat, I have had a totally spam-free yahoo mail address for 5 years and all of a sudden today I get spam, despite the fact that my address is NOT listed in the list of compromised accounts. Make of this what you will, but personally I'm not very happy with Yahoo at the moment.