Attacks/Breaches
7/12/2012
08:59 AM
Connect Directly
RSS
E-Mail
50%
50%

Yahoo Hack Leaks 453,000 Voice Passwords

Yahoo passwords were stored unencrypted and stolen via a SQL injection attack, attackers claim. Meanwhile, Formspring resets passwords for 28 million users after a password breach.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Yahoo Voices users: Change your Yahoo password immediately.

A hacker or hacking group that bills itself as "D33Ds Company" Thursday leaked what it said were plaintext passwords for 453,492 Yahoo accounts, as well as over 2,700 database table or column names, and 298 MySQL variables. D33Ds said it obtained the data by executing a SQL injection attack against an unnamed Yahoo subdomain, which security experts have identified as being Yahoo Voices.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," read a note included in the password dump. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

[ It has been a bad week for Yahoo when it comes to security issues. Read Yahoo Defends Android App, Botnet Questions Remain. ]

A Yahoo spokesman said that the company is currently investigating the alleged password leak. "We are currently investigating the claims of a compromise of Yahoo! user IDs. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com," he said. "At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products."

According to security researchers, the leaked data came from the Yahoo Voices service. That's because, while most subdomain details were excised from the data dump, "the attacker forgot to remove the hostname 'dbb1.ac.bf1.yahoo.com' (credit to Mubix for the hostname find). Looking through a variety of sources, it appears that the compromised server was likely 'Yahoo! Voices' which was formally known as Associated Content," according to Trusted Security. But according to the Guardian, the last entries in the data dump link to IDs created in 2006, suggesting that the password list may date from that time.

Yahoo bought Associated Content in May 2010 for $100 million, then renamed the service as Yahoo Voices. Which Yahoo Voices users have been affected by the breach? The Dazzlepod website has collected a searchable list of affected usernames and email addresses.

The Yahoo Voices password breach follows recent password breaches involving LinkedIn, as well as eHarmony and Last.fm. All of those breaches came to light only after stolen password hashes were posted to online forums. Unlike LinkedIn, eHarmony, and Last.fm, however, according to D33Ds, Yahoo wasn't even hashing its passwords. Instead, it said they'd been stored in unencrypted format, which would mean that Yahoo had fumbled a crucial information security best practice.

In online forums, some posters posited that the plaintext passwords may date from Yahoo's acquisition of Associated Content in 2010. "Most likely a dump of old tables before authentication was migrated to login.yahoo.com. Should've dropped these tables after the migration," said "mathrawka," who claimed to have previously been a developer involved with Yahoo's single sign-on system, in a post to Hacker News.

If--as D33Ds Co. claimed--Yahoo was storing passwords in plaintext format, privacy experts foresee FTC sanctions. Notably, privacy researcher Christopher Soghoian said via Twitter that there's a "strong chance of FTC deception case re: Yahoo password breach via claim it maintains reasonable electronic safeguards," and referenced Yahoo's privacy policy. The first line of that policy states: "Yahoo! takes your security seriously and takes reasonable steps to protect your information."

According to Soghoian, the FTC's complaint against RockYou, from which an attacker obtained and leaked 32 million passwords, focused on RockYou's privacy policy, which promised that "RockYou! uses commercially reasonable ... safeguards to preserve the integrity and security of your personal information." But the FTC alleged that RockYou's actual security safeguards weren't reasonable, in part because the website had failed to protect "its website from ... commonly known or reasonably foreseeable attacks from third parties attempting to obtain access to customer information stored in [RockYou's] databases."

SQL injection attacks are one of the most common types of attacks used to compromise websites and databases, and a favorite of hacktivist collectives, including Anonymous. Such attacks work by "injecting" SQL commands into databases. When databases don't properly screen such inputs for signs of attack, attackers have an easy-to-use technique for obtaining sensitive information from databases. A variety of freely available automated SQL injection attack tools further simply the process.

The Yahoo Voices password breach leak comes just one day after reports that 420,000 password hashes from question-and-answer website Formspring had been posted to a hacking forum. "We learned this morning that we had a security breach where some user passwords may have been accessed," said Formspring CEO Ade Olonoh in a blog posted Wednesday. In response, the company disabled passwords for all of its 28 million users.

"We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords," said Olonoh. "Users will be prompted to change their passwords when they log back into Formspring." He also detailed recommendations for creating strong passwords.

Later Wednesday, Olonoh posted additional details about the attack. "We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database," he said. "We were able to immediately fix the hole and upgraded our hashing mechanisms from SHA-256 with random salts to Bcrypt, to fortify security. We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again."

Formspring has been forthright about rapidly notifying users of a breach, detailing the problem, as well as immediately putting in place a solution. Will Yahoo follow suit?

Editor's note: Corrected spelling of D33Ds hacker group.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.