Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo! Closes Security Hole That Led To Breach

Posted by samzenpus on from the stopping-the-leak dept.

An anonymous reader writes "Yahoo! has patched the security hole that allowed hackers to access some 450,000 email addresses and passwords associated with Yahoo! Contributor Network and ultimately publish them last week. In the meantime, the group responsible for the hack of the official forum site of technology company NVIDIA has also dumped some user 800 records taken during the breach."

30 of 43 comments (clear)

  1. Nothing is every secure by ManOnline · · Score: 2, Informative

    Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.

    --
    http://OnlineURLDirectory.com http://GunsAmmoForum.com
    1. Re:Nothing is every secure by hcs_$reboot · · Score: 3, Interesting

      Anyone however believes in 100% security will always be a victim of a hack

      Pretty off topic in my opinion. Companies are not equal when it comes to security, far from it. Two major distinctions: the way the company was hacked (e.g. SQL injection), and how fast the company fixes the security concern(s). Sony for instance was a good (i.e. bad) example in both categories.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:Nothing is every secure by Khyber · · Score: 1

      "Pretty off topic in my opinion"

      No it's not off-topic. Man can make it, man can break it. That simple.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    3. Re:Nothing is every secure by Billly+Gates · · Score: 2

      Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.

      Inexcusable!

      Any bank that would get robbed that has little to no security should be grilled the same way. Nothing is ever secure so its ok there was no alarm in the safe etc. This reminded me why I no longer use Yahoo anymore and why the company is dying. I used to somewhat feel sorry for them as Google was overated with a marketing swing but it shows poor leadership and management.

      An example is YahooChat which I used to use over a decade ago. Then porn spammers came in and bombed you every 3 minutes with check out my titties and this scared every human away to the point where only porn spam bots were in there. There are teen and kid chat rooms where this happened too! People should be in jail for this as this is now pedophilia. Did Yahoo even care? No. for the hell of it 3 years ago I came back to Yahoo chat and the problem was still not fixed and even worse where I would be spammed every 30 seconds. No human is left anymore.

      Now comes YahooIM which I still use, but not with a Yahoo client. I get these strange names each time I log in from Digsby by of course my Yahoo account requesting to be my friend. Same porn spammers. I just do not add anyone unless I they have emailed me and let me know ahead of time because every few hours a spammer will come on. Did Yahoo fix it? No.

      Evern wonder why Skype is so popular as an IM? Now you know why.

      Yahoo lost to Google and Bing. DId Yahoo fix it? No.

      If you use Firefox and have YahooMail opened in one tab and browse porn in the other tab your yahoo email will randomly start sending out spam to people. Hairyfeet noticed that too. Did Yahoo fix it? no. ... I wont waste any more slashdotters time other to say stop giving them excuses for their incompetent management and employees. They are incompetent and any company worth as much as Yahoo should have a dedicated security team. There are more issues I wont discuss but only old people whose default homepage has not been changed still use it. The company is dying right now deservingly so and it will probably be gone in a couple years. Nobody seems to care or take their product seriously. It is no surprise they only got off their ass when it hit the news. Yahoo is terrible

      --
      http://saveie6.com/
    4. Re:Nothing is every secure by Mashiki · · Score: 1

      Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.

      Filthy lies.

      I dare you to get the information from this machine. It's locked in a steel cage, unplugged from the internet. Unpowered, been encased in 3ft of concrete, and dumped in the Mariana's Trench. And the person who dumped it there has been put on a deserted island, buried up to his neck, and left to the animals.

      I'm pretty sure we've got the security though obscurity covered here. Though, those pesky animals might have some weird form of osmosis, and might know the location now...

      --
      Om, nomnomnom...
    5. Re:Nothing is every secure by able1234au · · Score: 1

      ...that and you just told all of slashdot where it is. See... someone always talks.

  2. Change password again by Nkwe · · Score: 2

    So now that it's patched Yahoo users should change their passwords again. Presumably if your account was on "the list" and you changed your password after the first disclosure, your credentials could have been compromised again - prior to the security hole being closed.

    While this may sound obvious, I bet many folks don't realize the distinction between a disclosure announcement and correction of the problem. Many people probably assume that when a massive password disclosure is made, that the problem has already been fixed. In this case apparently not.

    1. Re:Change password again by arth1 · · Score: 3, Interesting

      So now that it's patched Yahoo users should change their passwords again. Presumably if your account was on "the list" and you changed your password after the first disclosure, your credentials could have been compromised again - prior to the security hole being closed.

      While this may sound obvious, I bet many folks don't realize the distinction between a disclosure announcement and correction of the problem. Many people probably assume that when a massive password disclosure is made, that the problem has already been fixed. In this case apparently not.

      What seems obvious, but which some people obviously don't realise, is that the vulnerable services were taken offline until they were fixed.

    2. Re:Change password again by jones_supa · · Score: 1

      There should be some de facto standard "how to choose a good password" guide, hosted by EFF or some other reputable organization. Then we would recommend web services to have a link to this guide during password creation process.

    3. Re:Change password again by arth1 · · Score: 1

      There should be some de facto standard "how to choose a good password" guide, hosted by EFF or some other reputable organization. Then we would recommend web services to have a link to this guide during password creation process.

      Like this, you mean?

      The problem with authoritative guides for this is that if most people follow the guide without thinking, the job becomes easier for the crackers. They can then use partial rainbow tables that exclude everything that the guide tells people not to do, and include what they tell them to do. Passwords work best when they are as varied as possible.

    4. Re:Change password again by davidwr · · Score: 1

      Well, yes and no.

      It's still not a good idea to use very short passwords "just because the bad guys won't check for them because the security guide tells you not to use them."

      It's very quick for a bad guy to check all possible 4-character symbols that appear on a US keyboard, so there's not much point in him NOT checking them all, even in a world where the odds of someone using that password are the proverbial "1 in a million".

      Now, as that great philosopher Randall Munroe pointed out, a complicated-looking password may in fact be weaker than a simple-looking password. Of course, the passwords Tr0ub4dor&3 and correct horse battery staple and their simple variations are now over-represented in real-world use and would make great "first guesses" by bad guys.

      Hmm, I think just to be safe my next password will be a combination of at least 2 words, at least 2 "mucked-up words," and spaces between words possibly replaced by other things or eliminated altogether. I better post it to my public Facebook page so I don't forget.

      --
      Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    5. Re:Change password again by Sir_Sri · · Score: 1

      In this case the yahoo's official stance was that these were all username/pwd pairs from 2010 when yahoo acquired/merged/whatever with the service in question. So the users in question could even have changed their passwords in the intervening 2 years and still been relatively safe. That could be complete bullshit or completely wrong, I have no idea. I would think yahoo by 2010 would have known enough about security to not have a plaintext password, but you never know.

      But yes, the problem with 'change your password' advice is that you need to know the problem has been fixed before thinking a new password actually accomplishes anything other than handing hackers another password.

    6. Re:Change password again by PNutts · · Score: 1

      Which confuses me because Yahoo Mail was offline for me during this time. There was a maintenance notice and when my mail was available, my contacts weren't (for awhile). Does this mean it was more than what was disclosed?

    7. Re:Change password again by arth1 · · Score: 1

      Which confuses me because Yahoo Mail was offline for me during this time. There was a maintenance notice and when my mail was available, my contacts weren't (for awhile). Does this mean it was more than what was disclosed?

      My guess is that they closed more than what was strictly necessary, while they verified just what had been affected. Which is good practice.

  3. Re:LOL by Jeng · · Score: 1

    How so?

    The only reason they are in the news is because they were hacked, not because anyone thought they were relevant.

    --
    Don't know something? Look it up. Still don't know? Then ask.
  4. Re:LOL by Eponymous+Hero · · Score: 1

    i think that was the point AC was making.

    --
    insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
  5. storage of passwords was/is the security hole by GodWasAnAlien · · Score: 1

    The security flaw was the storage of the passwords rather than passwords hash.

    Did they fix that?

    1. Re:storage of passwords was/is the security hole by garett_spencley · · Score: 1

      "The security flaw was the storage of the passwords rather than passwords hash."

      It was a security flaw. Ideally the passwords would be stored hashed (and salted) and their software would not have made them vulnerable to an SQL injection. I mean seriously, an SQL injection?! The software should be using a database abstraction layer or an ORM that takes care of normalizing SQL automatically. These days there's really no excuse for that one. ... but then, storing passwords as plain text too ... I had WAY higher expectations of Yahoo for some reason. Silly me.

  6. Re:oh fuck by bkcallahan · · Score: 1

    It's why I just share them in the first place.

  7. Their e-mail made no sense by slashmydots · · Score: 3, Interesting
    I happened to have joined Associated Content just barely prior to may 2010 so I got one of Yahoo's e-mails on my road runner e-mail account, which is what I used to sign up for AC. It seemed to advise me to change my e-mail password ASAP. AC doesn't know my e-mail address password so I'm not sure I quite understand that one. I'll paste the entire thing below. Does anyone know what they actually stole?! Am I supposed to change my AC account password?

    You may have read in press reports that Yahoo! recently confirmed an older file containing approximately 450,000 email addresses and passwords—provided by writers who had joined Associated Content prior to May 2010—was publicly posted on the Internet. This file was a standalone file that was not used to grant access to Yahoo! systems and services. This message is being sent to an email address in this compromised file.

    We are taking important steps to address this issue and have now fixed the vulnerability that led to the disclosure of the data and enhanced our underlying security controls. As a non-Yahoo! account holder, we apologize that we cannot provide you a direct means to secure your account. We strongly recommend that you employ the security mechanisms recommended by your email service provider to secure your account.

    Additionally, given the high frequency of consumers using the same login information on services across the Internet, we strongly advise users to:

    Change their passwords for any account they hold every few months,
    Use a different password for each service or website, and
    Create passwords using a mixture of characters, symbols, and numbers.


    We also suggest that you proactively monitor the activity on any account you have created online. Specifically, be on the lookout for spam originating from your email, and check your sign-in activity from time to time. If you see anything suspicious—like your account was accessed in Romania when you were home in Chicago—you should change your password immediately.

    We take security very seriously at Yahoo! and invest heavily in protective measures to ensure the security of our users and their data across all our products. In addition, we will continue to take significant measures to protect our users and their data.

    We sincerely apologize for this matter. Yahoo! Inc.

  8. Re:Oh Yahoo by uigrad_2000 · · Score: 1

    The hack was to Yahoo Voice, which hasn't been operated by Yahoo for 4 years now.

    450,000 accounts on Yahoo Voice actually astonishes me. I've never met anyone who has ever used that service, including my friends that currently work at Yahoo.

    Yahoo! itself is still relevant. People still use delicio.us, flickr, and Yahoo! groups a lot. Their sports pages are far less bloated than ESPN's, so I use them every day.

    --
    Free unix account: freeshell.org
  9. OR: If I can see it, hostiles can too by davidwr · · Score: 1

    A better way of putting it:

    Always store personal information knowing that if I or anyone else can recover it either alone by helping each other, someone unfriendly can get to it.

    There are ways of destroying my ability to access data that are 100% effective in making sure nobody else can get to it either, ever. They may, however, involve killing anyone who ever had access to the data and destroying their brains.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  10. Re:Oh Yahoo by poetmatt · · Score: 1

    of the "450k" the question is how many aren't bots?

    It's probably harder to find legitimate users than it is to find bots overall with all of yahoo's services. They never seem to care about the spam/abuse in general.

  11. Re:Oh Yahoo by davidwr · · Score: 2

    450,000, with "n" of them people who signed up just to try it out.

    The value of "n" is left as speculation for the reader.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  12. Re:But are there more Yahoo leaks? by Sir_Sri · · Score: 1

    ya, it looks like the yahoo android app has some problem with it.

    http://www.zdnet.com/new-yahoo-app-vulnerability-explains-android-spam-7000000964/

    At the same time, there has been an nvidia forum breach, so anyone who used a shared username/pwd pair on those services might be vulnerable.

  13. This is news??? by Sqr(twg) · · Score: 1

    The headline is on par with "Bear observed defecating in forest."

    If Yahoo had left the hole wide open, THAT would have been news.

    1. Re:This is news??? by toonces33 · · Score: 1

      "Bear observed defecating in forest."

      Dammit - that was my password. Now I have to change it again.

    2. Re:This is news??? by jamstar7 · · Score: 1

      Pics or it didn't happen

      Dammit, that was my passphrase.

      Now I gotta go through 79 different online services to change it... Thanks a lot, pal!

      --
      Understanding the scope of the problem is the first step on the path to true panic.
  14. Re:But are there more Yahoo leaks? by PNutts · · Score: 1

    A buddy at work and I also had the same thing happen (received SPAM from a known account). For mine the originating server was in Russia and his was in the Far East somewheres. In both cases the account owner is not aware of a breach, their passwords still work, etc. I think Yahoo! has a problem they haven't disclosed.

  15. Re:LOL by PNutts · · Score: 1

    WHOOOSH!