Yahoo, Phandroid passwords leaked
Yahoo's 450,000 plain-text passwords will likely prove a boon to attackers, while Phandroid's million-strong hash list is less useful.
'We confirm that an older file from Yahoo! Contributor Network, previously Associated Content, containing approximately 450,000 Yahoo! and other company usernames and passwords was compromised yesterday, July 11,' the company confessed in a statement to press. What Yahoo hasn't explained, however, is why the passwords were stored in plain text format, rather than as an irreversible hash.
The company claims that less than five per cent of the affected Yahoo accounts had an up-to-date password, but has yet to reveal similar figures for the 100,000 Gmail and 55,000 Hotmail addresses. For users who share a single password across multiple services, the breach could have serious consequences - particularly those on the leaked list who registered with one of the 123 .gov or 235 .mil email addresses.
Yahoo's breach comes at the same time as Phandroid issued a warning that more than a million usernames and passwords were leaked as the result of an attack on its Android Forums section. The leaked details included email addresses, usernames, IP addresses and the hashed value of the user's password - but, unlike Yahoo's gaffe, no plain-text passwords were included in the leak.
Attacks designed to steal passwords from popular on-line services appear to be increasing in frequency: last month, business networking site LinkedIn was targeted in a breach that saw 6.5 million password hashes downloaded by ne'er-do-wells, many of which were broken in dictionary and brute-force attacks.
One thing these recent breaches do demonstrate - aside from the lax approach to security at Yahoo - is how important it is to practice good information security. Even if your system is perfectly secure from attack, those of the sites you use clearly aren't. Pick strong passwords - preferably using a password generator like PasswordMaker or a password storage service like LastPass - and never use the same password for more than one site. If available, consider switching on two-factor authentication - Gmail users have this option, and it prevents attackers from accessing your account even if the password is known.
Previous Article
18 Comments
Discuss in the forums ReplyThis effects everyone that had an account, even gmail ones
I'm getting fed up of having to think up new passwords too. Its hard enough when you've got hundreds of sites which all need a password.
Security breaches will happen, this is a punishment for anyone that uses a Yahoo service.
So even if you don't use Yahoo, your somehow compromised.
Why the hell have Yahoo got Gmail and hotmail accounts and passwords anyway?
Might start using PasswordMaker, but have a higher level pass that I use for important sites like banking which I can remember without having to use PasswordMaker.
Google details changed anyway
Pain in the bum...
Sent from my HTC Desire HD using Xparent Red Tapatalk 2
It is, that is why it has it's own special password :)
It's kept alive for people who still use IE6 and get their internet connection from AOL.
Changed the ones I use all the time but there's one minor account where I only logged in last week to change its password after that attack [EDIT] - I was going to wait and see if it was genuinely compromised but stuff it, changed that one too. Might as well do it the once and they're all done until the next time.
The Gmail suggestion is brilliant but again I'd need to use it all the time before I'd want to have a mobile phone around and switched on just to get into email. Changing the password will do for the moment.
Agreed.
It really feels like it doesn't matter WHAT you change it to because right now they're more likely to attack the main server where your data is held rather than each account. It seems like it makes little difference if you change it to qwerty or 09faj49ajf9_+"|~!2 (I don't suggest it, but if I change my password again and it gets taken out again... what's the point)?
This. (Sorry just read it after I replied).