bit-tech.net

Yahoo, Phandroid passwords leaked

Yahoo, Phandroid passwords leaked

Yahoo's 450,000 plain-text passwords will likely prove a boon to attackers, while Phandroid's million-strong hash list is less useful.

Yahoo has admitted that attackers identifying themselves as the 'D333Ds Company' have made off with more than 450,000 usernames and plain-text passwords - including those for accounts on Gmail and Hotmail.

'We confirm that an older file from Yahoo! Contributor Network, previously Associated Content, containing approximately 450,000 Yahoo! and other company usernames and passwords was compromised yesterday, July 11,' the company confessed in a statement to press. What Yahoo hasn't explained, however, is why the passwords were stored in plain text format, rather than as an irreversible hash.

The company claims that less than five per cent of the affected Yahoo accounts had an up-to-date password, but has yet to reveal similar figures for the 100,000 Gmail and 55,000 Hotmail addresses. For users who share a single password across multiple services, the breach could have serious consequences - particularly those on the leaked list who registered with one of the 123 .gov or 235 .mil email addresses.

Yahoo's breach comes at the same time as Phandroid issued a warning that more than a million usernames and passwords were leaked as the result of an attack on its Android Forums section. The leaked details included email addresses, usernames, IP addresses and the hashed value of the user's password - but, unlike Yahoo's gaffe, no plain-text passwords were included in the leak.

Attacks designed to steal passwords from popular on-line services appear to be increasing in frequency: last month, business networking site LinkedIn was targeted in a breach that saw 6.5 million password hashes downloaded by ne'er-do-wells, many of which were broken in dictionary and brute-force attacks.

One thing these recent breaches do demonstrate - aside from the lax approach to security at Yahoo - is how important it is to practice good information security. Even if your system is perfectly secure from attack, those of the sites you use clearly aren't. Pick strong passwords - preferably using a password generator like PasswordMaker or a password storage service like LastPass - and never use the same password for more than one site. If available, consider switching on two-factor authentication - Gmail users have this option, and it prevents attackers from accessing your account even if the password is known.

18 Comments

Discuss in the forums Reply
longweight 13th July 2012, 13:52 Quote
So this only effects Yahoo users? Yahoo had the users gmail username and password?
Wingtale 13th July 2012, 13:59 Quote
Quote:
Originally Posted by longweight
So this only effects Yahoo users? Yahoo had the users gmail username and password?

This effects everyone that had an account, even gmail ones
will_123 13th July 2012, 14:02 Quote
There is a web app that checks if your email was compromised i checked my gmail, wasn't sure if I had ever used it to login there. Go on enda gadget the link is no there somewhere.
longweight 13th July 2012, 14:11 Quote
Meh, changed my gmail password anyway. It was overdue!
Spreadie 13th July 2012, 14:24 Quote
This is getting tedious
DragunovHUN 13th July 2012, 17:43 Quote
Feck off Yahoo.
Cerberus90 13th July 2012, 22:22 Quote
Quote:
Originally Posted by Spreadie
This is getting tedious

I'm getting fed up of having to think up new passwords too. Its hard enough when you've got hundreds of sites which all need a password.
longweight 13th July 2012, 22:28 Quote
It's not hard to have 5 keywords each with a different levels of security.

Security breaches will happen, this is a punishment for anyone that uses a Yahoo service.
Cerberus90 13th July 2012, 22:43 Quote
It says Gmail and hotmail accounts were compromised too, because of Yahoo.

So even if you don't use Yahoo, your somehow compromised.

Why the hell have Yahoo got Gmail and hotmail accounts and passwords anyway?



Might start using PasswordMaker, but have a higher level pass that I use for important sites like banking which I can remember without having to use PasswordMaker.
GMC 13th July 2012, 22:44 Quote
Isn't Flickr a yahoo service? Can't think of anything else in their stable worth using.

Google details changed anyway
Pain in the bum...

Sent from my HTC Desire HD using Xparent Red Tapatalk 2
longweight 13th July 2012, 22:45 Quote
Quote:
Originally Posted by GMC
Isn't Flickr a yahoo service? Can't think of anything else in their stable worth using.

Google details changed anyway
Pain in the bum...

Sent from my HTC Desire HD using Xparent Red Tapatalk 2

It is, that is why it has it's own special password :)
DXR_13KE 14th July 2012, 12:28 Quote
Why is yahoo still alive?
longweight 14th July 2012, 12:31 Quote
Quote:
Originally Posted by DXR_13KE
Why is yahoo still alive?

It's kept alive for people who still use IE6 and get their internet connection from AOL.
PlayLoud 15th July 2012, 15:41 Quote
I use Yahoo for my spam email account. My real email account is on Gmail. Time to change the passwords for both. I use Lastpass, so I won't have to remember the new passwords anyway (which is good, since my passwords are all random characters).
NethLyn 15th July 2012, 21:42 Quote
Because of the July 9th DNS attack I'd already changed them all last week, including the BT one, which I promptly forgot again and had to re-reset it to post in this thread :) these days I wonder whether the number code you're given for Bit Tech forums is more secure than anything I'd make up myself.

Changed the ones I use all the time but there's one minor account where I only logged in last week to change its password after that attack [EDIT] - I was going to wait and see if it was genuinely compromised but stuff it, changed that one too. Might as well do it the once and they're all done until the next time.

The Gmail suggestion is brilliant but again I'd need to use it all the time before I'd want to have a mobile phone around and switched on just to get into email. Changing the password will do for the moment.
theshadow2001 16th July 2012, 00:50 Quote
It makes me wonder if you really need passwords that are difficult to brute force since passwords tend to be compromised via database attacks and hacks like this.
Gareth Halfacree 16th July 2012, 08:43 Quote
Quote:
Originally Posted by NethLyn
The Gmail suggestion is brilliant but again I'd need to use it all the time before I'd want to have a mobile phone around and switched on just to get into email. Changing the password will do for the moment.
The Google two-factor authentication is cleverer than that: the first time you log in to Gmail (or any other Google service) from a particular machine, it will ask you for the two-factor code from the Authenticator app. When you enter this, there's a checkbox: tick the box and it won't ask you for the two-factor code for another 30 days. For systems that don't support two-factor authentication - including, oddly, Android - you can generate one-time passwords which you can individually revoke at any time.
Quote:
Originally Posted by theshadow2001
It makes me wonder if you really need passwords that are difficult to brute force since passwords tend to be compromised via database attacks and hacks like this.
You should always use secure passwords - it's notable that, in all the recent breaches, only Yahoo was storing passwords as plain text. If proper information security is practised, and passwords stored as irreversible hashes, then the attacker needs to brute-force the hashes - either manually or through a rainbow table. The more secure (mixture of case, letters, symbols, length) your password, the less likely it is the attacker will ever figure out the hash.
Bindibadgi 16th July 2012, 08:55 Quote
Quote:
Originally Posted by Spreadie
This is getting tedious

Agreed.

It really feels like it doesn't matter WHAT you change it to because right now they're more likely to attack the main server where your data is held rather than each account. It seems like it makes little difference if you change it to qwerty or 09faj49ajf9_+"|~!2 (I don't suggest it, but if I change my password again and it gets taken out again... what's the point)?
Quote:
Originally Posted by theshadow2001
It makes me wonder if you really need passwords that are difficult to brute force since passwords tend to be compromised via database attacks and hacks like this.

This. (Sorry just read it after I replied).
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums