Yahoo Password Breach: 7 Lessons Learned

What should businesses, users, and regulators take away from the Yahoo password breach? Start with encryption for all stored passwords.

Mathew J. Schwartz, Contributor

July 13, 2012

5 Min Read

Who Is Anonymous: 10 Key Facts

Who Is Anonymous: 10 Key Facts

Who Is Anonymous: 10 Key Facts (click image for larger view and for slideshow)

Stop the password breach madness: If it seems as if every week brings a new password breach to light, that's because hackers have been hard at work, releasing passwords with aplomb.

Recently, an attacker uploaded a subset of hashed passwords from LinkedIn to an online security forum, requesting help with cracking them. That was swiftly followed--apparently, by the same attacker--with similar requests for passwords purloined from dating website eHarmony and music-streaming website

This week, question-and-answer website Formspring said that 420,000 of its users' passwords had been compromised, leading the company to reset passwords for all 28 million users. Meanwhile, a hacker or hacking group known as D33Ds Company leaked about 450,000 email addresses and passwords associated with Yahoo Voices, formerly known as Yahoo Contributor Network. The motivation, according to D33Ds, was simple: it was sending "a wake-up call" to whoever was in charge of Yahoo Voices about the need to get serious about security.

[ Read 7 Tips To Toughen Passwords. ]

What could Yahoo--and by extension any company that has consumer passwords to protect--do better? Here are seven best practices:

1. Confirm breaches quickly. Where Yahoo and Formspring are to be commended is in the speed with which they confirmed their password breaches and instituted a fix, all of which happened in less than 24 hours. According to Yahoo spokesman Jon White, "We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users, and notifying the companies whose users accounts may have been compromised."

Formspring, however, went one step better, by providing details about the exact improvements made. "We were able to immediately fix the hole and upgraded our hashing mechanisms from SHA-256 with random salts to Bcrypt, to fortify security," said Formspring CEO Ade Olonoh in a blog posted Wednesday.

2. Watch for fast-moving SQL injection attacks. D33Ds said it breached Yahoo by using a union-based SQL injection attack. Security experts said attackers prefer this type of attack for its ability--when successfully executed--to rapidly retrieve large amounts of sensitive data.

"Not all SQL injection attacks are equal. Some can be more destructive than others," said Kyle Adams at Mykonos Software--part of Juniper Networks--in a blog post. "This [type of] attack enables the attacker to extract extremely large chunks of data in a very short amount of time. It's the difference between requesting each password one at a time (normal SQL injection), letter by letter (blind SQL injection) or requesting hundreds of passwords in one shot (union-based)."

3. Beware third-party security. Last year, one of the more than a dozen data breaches involving Sony involved hackers accessing what the consumer electronics giant said was "an outdated database from 2007." Likewise, the breached Yahoo database appears to have come from a company acquired by Yahoo, which means that the database wouldn't have been covered by Yahoo's own system development lifecycle (SDLC) practices. But that should have led Yahoo to at least protect the acquired systems with a Web application firewall (WAF), according to security experts, to help block SQL injection attacks.

"This attack highlights the challenges of security with third-party applications," said Rob Rachwald, director of security strategy at Imperva , in a blog post. "The attacked applications [were] probably acquired by Yahoo! from a third party, Associated Content. It's very challenging to have an effective SDLC with third parties. Therefore, you need to put them behind WAF."

4. Require strong passwords. The breach also shows that Yahoo--or else Contributor Network, if the passwords date from before the company's acquisition by Yahoo--failed to require users to select strong passwords. According to an analysis published by Swedish security expert Anders Nilsson at Eurosecure, the top five most-selected passwords were "password," "123456," "12345678," "1234," and "qwerty."

Of course, people's password selection is irrelevant if, as in the case of the Yahoo breach, the password database isn't even properly secured. Likewise, in the case of the LinkedIn breach, the apparent use of an outdated encryption algorithm, and a failure to salt the passwords--meaning, adding a unique value to each one before encrypting it--meant that even the strongest passwords could be cracked offline, given a bit of time.

5. Businesses, get serious about passwords. Any business or government agency that stores users' passwords needs to do a better job of not just deleting password databases, but ensuring they're actually secure. Indeed, based on a review of the leaked data, Imperva's Rachwald said Yahoo apparently "stored the passwords both ... encrypted (AES_passwd) and in clear text (clear_passwd) which, of course, makes the encryption useless." Coming on the heels of the LinkedIn, eHarmony, and breaches, Rachwald dubbed the Yahoo breach as yet "another epic password fail." When will companies learn?

6. Consumers, practice tough love. Until businesses do learn, the rule for consumers is simple: Don't trust any site that requires a password to keep it safe. Accordingly, use unique passwords for every website, so attackers can't reuse credentials stolen from one site, such as Yahoo, to access an account tied to the same email address on another site, such as PayPal. Also consider changing passwords with some frequency, in case prior versions of password databases should get exploited. Finally, consider that not all password breaches come to light, and the situation might be even worse than it appears.

7. Regulators, crack down. Fines, of course, could help businesses focus on improving their information security practices. On that note, privacy expert Christopher Soghoian has opined that Yahoo could face Federal Trade Commission sanctions over the breach. Notably, the FTC requires that companies abide by their privacy policies, which the agency enforces as a consumer guarantee. Furthermore, Yahoo's privacy policy states that it "takes reasonable steps to protect your information." But by just about any security measure, storing users' passwords in unencrypted format--or failing to spot passwords stored in that manner, after acquiring a company--hardly qualifies as reasonable.

Editor's note: Corrected spelling of D33Ds hacker group.

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights