Attacks/Breaches
7/12/2012
08:59 AM
50%
50%

Yahoo Hack Leaks 453,000 Voice Passwords

Yahoo passwords were stored unencrypted and stolen via a SQL injection attack, attackers claim. Meanwhile, Formspring resets passwords for 28 million users after a password breach.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Yahoo Voices users: Change your Yahoo password immediately.

A hacker or hacking group that bills itself as "D33Ds Company" Thursday leaked what it said were plaintext passwords for 453,492 Yahoo accounts, as well as over 2,700 database table or column names, and 298 MySQL variables. D33Ds said it obtained the data by executing a SQL injection attack against an unnamed Yahoo subdomain, which security experts have identified as being Yahoo Voices.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," read a note included in the password dump. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

[ It has been a bad week for Yahoo when it comes to security issues. Read Yahoo Defends Android App, Botnet Questions Remain. ]

A Yahoo spokesman said that the company is currently investigating the alleged password leak. "We are currently investigating the claims of a compromise of Yahoo! user IDs. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com," he said. "At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products."

According to security researchers, the leaked data came from the Yahoo Voices service. That's because, while most subdomain details were excised from the data dump, "the attacker forgot to remove the hostname 'dbb1.ac.bf1.yahoo.com' (credit to Mubix for the hostname find). Looking through a variety of sources, it appears that the compromised server was likely 'Yahoo! Voices' which was formally known as Associated Content," according to Trusted Security. But according to the Guardian, the last entries in the data dump link to IDs created in 2006, suggesting that the password list may date from that time.

Yahoo bought Associated Content in May 2010 for $100 million, then renamed the service as Yahoo Voices. Which Yahoo Voices users have been affected by the breach? The Dazzlepod website has collected a searchable list of affected usernames and email addresses.

The Yahoo Voices password breach follows recent password breaches involving LinkedIn, as well as eHarmony and Last.fm. All of those breaches came to light only after stolen password hashes were posted to online forums. Unlike LinkedIn, eHarmony, and Last.fm, however, according to D33Ds, Yahoo wasn't even hashing its passwords. Instead, it said they'd been stored in unencrypted format, which would mean that Yahoo had fumbled a crucial information security best practice.

In online forums, some posters posited that the plaintext passwords may date from Yahoo's acquisition of Associated Content in 2010. "Most likely a dump of old tables before authentication was migrated to login.yahoo.com. Should've dropped these tables after the migration," said "mathrawka," who claimed to have previously been a developer involved with Yahoo's single sign-on system, in a post to Hacker News.

If--as D33Ds Co. claimed--Yahoo was storing passwords in plaintext format, privacy experts foresee FTC sanctions. Notably, privacy researcher Christopher Soghoian said via Twitter that there's a "strong chance of FTC deception case re: Yahoo password breach via claim it maintains reasonable electronic safeguards," and referenced Yahoo's privacy policy. The first line of that policy states: "Yahoo! takes your security seriously and takes reasonable steps to protect your information."

According to Soghoian, the FTC's complaint against RockYou, from which an attacker obtained and leaked 32 million passwords, focused on RockYou's privacy policy, which promised that "RockYou! uses commercially reasonable ... safeguards to preserve the integrity and security of your personal information." But the FTC alleged that RockYou's actual security safeguards weren't reasonable, in part because the website had failed to protect "its website from ... commonly known or reasonably foreseeable attacks from third parties attempting to obtain access to customer information stored in [RockYou's] databases."

SQL injection attacks are one of the most common types of attacks used to compromise websites and databases, and a favorite of hacktivist collectives, including Anonymous. Such attacks work by "injecting" SQL commands into databases. When databases don't properly screen such inputs for signs of attack, attackers have an easy-to-use technique for obtaining sensitive information from databases. A variety of freely available automated SQL injection attack tools further simply the process.

The Yahoo Voices password breach leak comes just one day after reports that 420,000 password hashes from question-and-answer website Formspring had been posted to a hacking forum. "We learned this morning that we had a security breach where some user passwords may have been accessed," said Formspring CEO Ade Olonoh in a blog posted Wednesday. In response, the company disabled passwords for all of its 28 million users.

"We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords," said Olonoh. "Users will be prompted to change their passwords when they log back into Formspring." He also detailed recommendations for creating strong passwords.

Later Wednesday, Olonoh posted additional details about the attack. "We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database," he said. "We were able to immediately fix the hole and upgraded our hashing mechanisms from SHA-256 with random salts to Bcrypt, to fortify security. We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again."

Formspring has been forthright about rapidly notifying users of a breach, detailing the problem, as well as immediately putting in place a solution. Will Yahoo follow suit?

Editor's note: Corrected spelling of D33Ds hacker group.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8891
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors...

CVE-2014-8892
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to bypass intended access permissions and obtain sensitive information via un...

CVE-2015-1170
Published: 2015-03-06
The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 before 345.20, and R346 before 347.52 does not properly validate local client impersonation levels when performing a "kernel administrator check," which allows local users to gain administrator privileges via unspecified API call...

CVE-2015-1637
Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.