Yahoo's 450,000 plain-text passwords will likely prove a boon to attackers, while Phandroid's million-strong hash list is less useful.
Yahoo has admitted that attackers identifying themselves as the 'D333Ds Company' have made off with more than 450,000 usernames and plain-text passwords - including those for accounts on Gmail and Hotmail.
'We confirm that an older file from Yahoo! Contributor Network, previously Associated Content, containing approximately 450,000 Yahoo! and other company usernames and passwords was compromised yesterday, July 11,
' the company confessed in a statement to press. What Yahoo hasn't explained, however, is why the passwords were stored in plain text format, rather than as an irreversible hash.
The company claims that less than five per cent of the affected Yahoo accounts had an up-to-date password, but has yet to reveal similar figures for the 100,000 Gmail and 55,000 Hotmail addresses. For users who share a single password across multiple services, the breach could have serious consequences - particularly those on the leaked list who registered with one of the 123 .gov or 235 .mil email addresses.
Yahoo's breach comes at the same time as Phandroid issued a warning that more than a million usernames and passwords were leaked as the result of an attack on its Android Forums section. The leaked details included email addresses, usernames, IP addresses and the hashed value of the user's password - but, unlike Yahoo's gaffe, no plain-text passwords were included in the leak.
Attacks designed to steal passwords from popular on-line services appear to be increasing in frequency: last month, business networking site LinkedIn was targeted in a breach that saw 6.5 million password hashes downloaded by ne'er-do-wells, many of which were broken in dictionary and brute-force attacks.
One thing these recent breaches do demonstrate - aside from the lax approach to security at Yahoo - is how important it is to practice good information security. Even if your system is perfectly secure from attack, those of the sites you use clearly aren't. Pick strong passwords - preferably using a password generator like PasswordMaker
or a password storage service like LastPass
- and never use the same password for more than one site. If available, consider switching on two-factor authentication - Gmail users have this option, and it prevents attackers from accessing your account even if the password is known.