Attacks/Breaches
7/12/2012
08:59 AM
Connect Directly
RSS
E-Mail
50%
50%

Yahoo Hack Leaks 453,000 Voice Passwords

Yahoo passwords were stored unencrypted and stolen via a SQL injection attack, attackers claim. Meanwhile, Formspring resets passwords for 28 million users after a password breach.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Yahoo Voices users: Change your Yahoo password immediately.

A hacker or hacking group that bills itself as "D33Ds Company" Thursday leaked what it said were plaintext passwords for 453,492 Yahoo accounts, as well as over 2,700 database table or column names, and 298 MySQL variables. D33Ds said it obtained the data by executing a SQL injection attack against an unnamed Yahoo subdomain, which security experts have identified as being Yahoo Voices.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," read a note included in the password dump. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

[ It has been a bad week for Yahoo when it comes to security issues. Read Yahoo Defends Android App, Botnet Questions Remain. ]

A Yahoo spokesman said that the company is currently investigating the alleged password leak. "We are currently investigating the claims of a compromise of Yahoo! user IDs. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com," he said. "At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products."

According to security researchers, the leaked data came from the Yahoo Voices service. That's because, while most subdomain details were excised from the data dump, "the attacker forgot to remove the hostname 'dbb1.ac.bf1.yahoo.com' (credit to Mubix for the hostname find). Looking through a variety of sources, it appears that the compromised server was likely 'Yahoo! Voices' which was formally known as Associated Content," according to Trusted Security. But according to the Guardian, the last entries in the data dump link to IDs created in 2006, suggesting that the password list may date from that time.

Yahoo bought Associated Content in May 2010 for $100 million, then renamed the service as Yahoo Voices. Which Yahoo Voices users have been affected by the breach? The Dazzlepod website has collected a searchable list of affected usernames and email addresses.

The Yahoo Voices password breach follows recent password breaches involving LinkedIn, as well as eHarmony and Last.fm. All of those breaches came to light only after stolen password hashes were posted to online forums. Unlike LinkedIn, eHarmony, and Last.fm, however, according to D33Ds, Yahoo wasn't even hashing its passwords. Instead, it said they'd been stored in unencrypted format, which would mean that Yahoo had fumbled a crucial information security best practice.

In online forums, some posters posited that the plaintext passwords may date from Yahoo's acquisition of Associated Content in 2010. "Most likely a dump of old tables before authentication was migrated to login.yahoo.com. Should've dropped these tables after the migration," said "mathrawka," who claimed to have previously been a developer involved with Yahoo's single sign-on system, in a post to Hacker News.

If--as D33Ds Co. claimed--Yahoo was storing passwords in plaintext format, privacy experts foresee FTC sanctions. Notably, privacy researcher Christopher Soghoian said via Twitter that there's a "strong chance of FTC deception case re: Yahoo password breach via claim it maintains reasonable electronic safeguards," and referenced Yahoo's privacy policy. The first line of that policy states: "Yahoo! takes your security seriously and takes reasonable steps to protect your information."

According to Soghoian, the FTC's complaint against RockYou, from which an attacker obtained and leaked 32 million passwords, focused on RockYou's privacy policy, which promised that "RockYou! uses commercially reasonable ... safeguards to preserve the integrity and security of your personal information." But the FTC alleged that RockYou's actual security safeguards weren't reasonable, in part because the website had failed to protect "its website from ... commonly known or reasonably foreseeable attacks from third parties attempting to obtain access to customer information stored in [RockYou's] databases."

SQL injection attacks are one of the most common types of attacks used to compromise websites and databases, and a favorite of hacktivist collectives, including Anonymous. Such attacks work by "injecting" SQL commands into databases. When databases don't properly screen such inputs for signs of attack, attackers have an easy-to-use technique for obtaining sensitive information from databases. A variety of freely available automated SQL injection attack tools further simply the process.

The Yahoo Voices password breach leak comes just one day after reports that 420,000 password hashes from question-and-answer website Formspring had been posted to a hacking forum. "We learned this morning that we had a security breach where some user passwords may have been accessed," said Formspring CEO Ade Olonoh in a blog posted Wednesday. In response, the company disabled passwords for all of its 28 million users.

"We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords," said Olonoh. "Users will be prompted to change their passwords when they log back into Formspring." He also detailed recommendations for creating strong passwords.

Later Wednesday, Olonoh posted additional details about the attack. "We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database," he said. "We were able to immediately fix the hole and upgraded our hashing mechanisms from SHA-256 with random salts to Bcrypt, to fortify security. We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again."

Formspring has been forthright about rapidly notifying users of a breach, detailing the problem, as well as immediately putting in place a solution. Will Yahoo follow suit?

Editor's note: Corrected spelling of D33Ds hacker group.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6856
Published: 2014-10-02
The AHRAH (aka com.vet2pet.aid219426) application 219426 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6857
Published: 2014-10-02
The Car Wallpapers HD (aka com.arab4x4.gallery.app) application 1.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6858
Published: 2014-10-02
The Mostafa Shemeas (aka com.mostafa.shemeas.website) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6859
Published: 2014-10-02
The Daum Maps - Subway (aka net.daum.android.map) application 3.9.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6860
Published: 2014-10-02
The Trial Tracker (aka com.etcweb.android.trial_tracker) application 1.1.9 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.