Attacks/Breaches
7/13/2012
08:57 AM
50%
50%

Yahoo Password Breach: New Risks

Yahoo confirms 450,000 passwords breached. While leaked data appears partially outdated, hackers likely had access to more user-provided personal details.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Yahoo, responding to a file released Wednesday that appeared to contain usernames and passwords associated with the Yahoo Voices service, confirmed Thursday that its Yahoo Contributor Network had been breached.

"We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised," said Yahoo spokesman Jon White via email. "Of these, less than 5% of the Yahoo! accounts had valid passwords."

Yahoo said the database breach occurred Wednesday, and that it had already patched the vulnerability exploited by the attacker or attackers. "We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users, and notifying the companies whose users accounts may have been compromised," White said. "We apologize to all affected users."

Yahoo Contributor Network is an online platform for people to share video, audio, and slide shows, for which many users get paid, based on the traffic their content generates. In December 2011, Yahoo renamed the service as Yahoo Voices. Currently, contributors must log onto the service using a Facebook, Google, or Yahoo account.

A hacker or hacking group known as D33Ds Company leaked the Yahoo passwords Wednesday. "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," read a note included at the end of the password dump. While D33Ds Company said it had used a "union-based SQL Injection" attack to effect the leak, it said it purposefully wasn't detailing the Yahoo subdomain it exploited, or the exact vulnerabilities used, so Yahoo would have time to fix the vulnerability.

All told, 453,479 usernames were leaked, of which at least 433,278 appear to be email addresses, according to an analysis published by Identity Finder. Most of the email addresses used (33%) were Yahoo accounts, followed by Gmail (25%), Hotmail (13%), AOL (6%), Comcast (2%), and MSN (1.5%).

According to Yahoo, less than 5% of the Yahoo usernames published in breach--meaning, about 6,400 usernames--were linked to a valid password. If that statistic applies to other email services as well, then it would mean that all told, about 20,000 individuals' passwords are at risk, unless they'd already changed those passwords.

While the leaked data appears to be at least partially outdated, the hackers behind the data breach likely had access to more user-provided personal details, noted Rob Rachwald, director of security strategy at Imperva.

"The usernames and password [list] seems to be obsolete, but the published file suggests that the hackers gained access to the whole database and were able to view some private data on 450,000 users such as full name, full address, phone number, bio, education, and date of birth," he said in a blog post.

"Sadly, this breach highlights how enterprises continue to neglect basic security practices. According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application, which is a well-known attack," Rachwald said. "To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no."

Editor's note: Corrected spelling of D33Ds hacker group.

Your networks may be under attack as you read this, but unless your security personnel are analyzing logs and leveraging common tools that are well known to your network operations teams, you may not find out until it is too late. In our What's Going On?: Monitor Networks To Thwart Intrusions report, we explain how your security and network teams can cooperate and use common tools to detect threats before your databases are compromised. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.