Attacks/Breaches
7/13/2012
08:57 AM
Connect Directly
RSS
E-Mail
50%
50%

Yahoo Password Breach: New Risks

Yahoo confirms 450,000 passwords breached. While leaked data appears partially outdated, hackers likely had access to more user-provided personal details.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Yahoo, responding to a file released Wednesday that appeared to contain usernames and passwords associated with the Yahoo Voices service, confirmed Thursday that its Yahoo Contributor Network had been breached.

"We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised," said Yahoo spokesman Jon White via email. "Of these, less than 5% of the Yahoo! accounts had valid passwords."

Yahoo said the database breach occurred Wednesday, and that it had already patched the vulnerability exploited by the attacker or attackers. "We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users, and notifying the companies whose users accounts may have been compromised," White said. "We apologize to all affected users."

Yahoo Contributor Network is an online platform for people to share video, audio, and slide shows, for which many users get paid, based on the traffic their content generates. In December 2011, Yahoo renamed the service as Yahoo Voices. Currently, contributors must log onto the service using a Facebook, Google, or Yahoo account.

A hacker or hacking group known as D33Ds Company leaked the Yahoo passwords Wednesday. "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," read a note included at the end of the password dump. While D33Ds Company said it had used a "union-based SQL Injection" attack to effect the leak, it said it purposefully wasn't detailing the Yahoo subdomain it exploited, or the exact vulnerabilities used, so Yahoo would have time to fix the vulnerability.

All told, 453,479 usernames were leaked, of which at least 433,278 appear to be email addresses, according to an analysis published by Identity Finder. Most of the email addresses used (33%) were Yahoo accounts, followed by Gmail (25%), Hotmail (13%), AOL (6%), Comcast (2%), and MSN (1.5%).

According to Yahoo, less than 5% of the Yahoo usernames published in breach--meaning, about 6,400 usernames--were linked to a valid password. If that statistic applies to other email services as well, then it would mean that all told, about 20,000 individuals' passwords are at risk, unless they'd already changed those passwords.

While the leaked data appears to be at least partially outdated, the hackers behind the data breach likely had access to more user-provided personal details, noted Rob Rachwald, director of security strategy at Imperva.

"The usernames and password [list] seems to be obsolete, but the published file suggests that the hackers gained access to the whole database and were able to view some private data on 450,000 users such as full name, full address, phone number, bio, education, and date of birth," he said in a blog post.

"Sadly, this breach highlights how enterprises continue to neglect basic security practices. According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application, which is a well-known attack," Rachwald said. "To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no."

Editor's note: Corrected spelling of D33Ds hacker group.

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.