450,000 email addresses and plain-text passwords in circulation

[ronjor]

Quote:

A list of over 450,000 email addresses and plain-text passwords, apparently from users of a Yahoo! service, is in circulation on the internet. According to security expert and former hacker Kevin Mitnick, the passwords belong to the little-known VoIP service, Yahoo! Voice.

http://www.h-online.com/security/new...n-1637505.html

[ronjor]

Quote:

Yahoo Confirms, Apologizes For The Email Hack

Ingrid Lunden

There are still a lot of questions about this alleged Yahoo Voices data breach — including whether there was a reason behind the breach in the first place — but Yahoo has now officially confirmed that the data did in fact come from its servers, and that “approximately” 400,000 email addresses and passwords have been leaked in plain text online. Meanwhile, security specialists are now parsing the data and one, script to check if your email address (which doesn’t have to be a @yahoo.com address) is among those exposed.

http://techcrunch.com/2012/07/12/yah...ccounts-apply/

[EncryptedBytes]

There are a lot of things wrong with this picture. While to those in the security industry it seems almost comical after all the high profile breaches over the past couple of years, major players in the digital market still are falling victim to SQL injections. The second there really is no reason for clear text for web facing applications either in 2012... Though I guess if your entire infrastructure is run by a potato you would not want anything producing too much processing power either.

[JRViejo]

Quote:

Stop the password breach madness: If it seems as if every week brings a new password breach to light, that's because hackers have been hard at work, releasing passwords with aplomb.

Yahoo Password Breach: 7 Lessons Learned by Mathew J. Schwartz.

[Ranget]

Basically if these threats going to keep on Rising
two years and we wont have an internet

[siljaline]

Yahoo hack shows, again, too many people use '123456' and 'password'

Quote:

While the ongoing floods of leaked account credentials from Formspring, LinkedIn et al. are potentially disastrous for the owners of those accounts, analysis of those data doesn't only provide a way of seeing whether our own accounts are at risk. It also provides an incentive for us all to re-examine our own password (and passcode) selection strategies by the insight they give us into whether we are using the same far-from-unique passwords as so many of the victims of these breaches.

My colleague Anders Nilsson's Eurosecure blog looks at the data from the Yahoo! breach and refers to some detailed statistics. Rather than reproduce all those data here, I'd recommend that you read his blog, but as I've previously referred here and elsewhere to 'Top Umpteen' lists of insecure, over-used, easily guessed passwords, I can't resist reproducing the top ten he extracted here, as it comes from a more recent source than the Mark Burnett analysis I quoted in my previous post on the subject.

Article

Yahoo fixes password-pilfering bug, explains who's at risk

Quote:

Security experts continue to hammer Yahoo for storing usernames and passwords in plain text.

Yahoo today said it has fixed the flaw that allowed hackers to steal more than 450,000 passwords from one of its many services.

The company also provided more information about whose passwords had been pilfered.

"We have...now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users," the company announced in a post to its Blog early Friday.

Article

[Escalader]

This is discouraging.

I agree that changing your email passwords on a regular schedule is good practice.

BUT as the blog posters say what's the point, if ISP's security is so weak that they store user email addy's and passwords in open text and then allow a hacker in.

Appolgies don't cut it.

[EncryptedBytes]

Quote:

"We have...now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users," the company announced in a post to its blog early Friday.

perhaps they are now using 2ROT13 encryption? Double the encryption. Double the security.

[Escalader]

Quote:

Originally Posted by EncryptedBytes

perhaps they are now using 2ROT13 encryption? Double the encryption. Double the security.

Perhaps?

Anyway, this is shuting the barn door after the horse has run away.

These security steps should have been in place all along!

[NGRhodes]

Quote:

Originally Posted by EncryptedBytes

perhaps they are now using 2ROT13 encryption? Double the encryption. Double the security.

Or ROT26

[EncryptedBytes]

Quote:

Originally Posted by Nick Rhodes

Or ROT26

Good implementations would be 2ROT13, 4ROT13, 6ROT13 or 2048ROT13. Going off how AES and DES work using more rounds and are considered strong, it can thus be assumed that more rounds of encryption bring more security.
So if they are using such implementations I think they are doing security correctly and we the user have nothing more to worry about.

[Escalader]

Quote:

Originally Posted by EncryptedBytes

Good implementations would be 2ROT13, 4ROT13, 6ROT13 or 2048ROT13. Going off how AES and DES work using more rounds and are considered strong, it can thus be assumed that more rounds of encryption bring more security.
So if they are using such implementations I think they are doing security correctly and we the user have nothing more to worry about.

We are talking / posting past each other. My point is all these security procedures should have been in place PRIOR to 450,000 email addys were leaked.

Do you disagree with this? I only ask because you keep saying all is well when clearly it wasn't.

[NGRhodes]

2ROT13 is a term used to refer utter useless security (in this case is equivalent of nothing), same as any even number ROT13 variant, we were jesting !

[siljaline]

Yahoo! closes security hole that led to huge password breach

Quote:

Yahoo! has patched the security hole that allowed hackers to access some 450,000 email addresses and passwords associated with Yahoo! Contributor Network and ultimately publish them last week.

"The compromised information was provided by writers who had joined Associated Content prior to May 2010, when it was acquired by Yahoo!," the company said in a statement, and added that the file in question was a standalone file that was not used to grant access to Yahoo! systems and services.

Users who have joined Associated Content prior to May 2010 using their Yahoo! email address are urged to log in to their Yahoo! account where they will be asked to answer a series of authentication questions to change and validate their credentials.

Related Post

[EncryptedBytes]

Quote:

Originally Posted by Escalader

We are talking / posting past each other. My point is all these security procedures should have been in place PRIOR to 450,000 email addys were leaked.

Do you disagree with this? I only ask because you keep saying all is well when clearly it wasn't.

Sorry I was being cynical. ROT13 is also known as the old "caesar cipher" where the key is the movement of a letter 13 spaces. It offers no security and I was throwing it out there as a real thing being implemented as how carelessly they handled the security for yahoo voice.

All variations I mentioned were in jest and do not exist, well other than an april fools prank maybe.

[Escalader]

Quote:

Originally Posted by Nick Rhodes

2ROT13 is a term used to refer utter useless security (in this case is equivalent of nothing), same as any even number ROT13 variant, we were jesting !

Right! Well you guys sure fooled me! No damage done.

[Judge Dee]

Quote:

Originally Posted by EncryptedBytes

All variations I mentioned were in jest and do not exist, well other than an april fools prank maybe.

According to Wikipedia's article on ROT13:

Quote:

In December 1999, it was found that Netscape Communicator used ROT-13 as part of an insecure scheme to store email passwords

BTW, thanks for teaching us about ROT13. Interesting stuff.

[EncryptedBytes]

Quote:

Originally Posted by Judge Dee

According to Wikipedia's article on ROT13:

BTW, thanks for teaching us about ROT13. Interesting stuff.

And it wasn't april 1st? Interesting, well to their credit at least it wasnt 2ROT13 or as Nick mentioned ROT26.

(As applying ROT13 to an already ROT13-encrypted text restores the original plaintext..aka Yahoo Voice)