Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Nearly Half a Million Yahoo Passwords Leaked [Updated]

timothy posted about 2 years ago | from the drop-in-the-bucket dept.

Security 233

An anonymous reader writes "Some 450,000 email addresses and associated unencrypted passwords have been dumped online by the hacking collective 'D33Ds Company' following the compromise of a Yahoo subdomain. The attackers said that they managed to access the subdomain by leveraging a union-based SQL injection attack, which made the site return more information that it should have. According to Ars Technica, the dump also includes over 2,700 database table or column names and 298 MySQL variables retrieved during the attack." Update: 07/12 20:03 GMT by T :Reader techfun89 adds this update: "Yahoo has confirmed that the usernames and passwords of more than 400,000 accounts were stolen from their servers earlier this week and that data was briefly posted online. The information has since been removed but it wasn't just credentials for Yahoo, but also Gmail, AOL, Comcast, Hotmail, MSN, SBC Global, BellSouth, Verizon and Live.com as well."

cancel ×

233 comments

lastpass (2)

Dave Whiteside (2055370) | about 2 years ago | (#40626991)

you know it makes sense ...
every day there is another hack .... just waiting for the lastpass one now....

Re:lastpass (5, Insightful)

Anonymous Coward | about 2 years ago | (#40627027)

I sure wish these dumbasses would learn to secure their shit. SQL injection AGAIN? There's just no damned excuse for it.

This isn't hard to test for. Hell this isn't hard to guard against. This is a "oh I'll just shoot myself in the foot now, ah-hyuk! *BANG* Ow that hurts what happened?" type of negligence.

If the incompetent designers don't get their shit together you're going to see gov't get involved. All it would take is for a hack to finally affect the "right" people. Nobody wants that except gov't.

Plaintext passwords again? (5, Insightful)

gr8_phk (621180) | about 2 years ago | (#40627381)

SQL injection AGAIN? There's just no damned excuse for it.

Several people have made similar comments. What worries me is that they are not also slamming them for storing passwords in plaintext AGAIN. User passwords should not be stored anywhere on the system. You store a salt and hash of the password - this is fine for login, but fairly useless for hackers should they get it.

Re:Plaintext passwords again? (5, Informative)

Anonymous Coward | about 2 years ago | (#40627423)

SQL injection AGAIN? There's just no damned excuse for it.

Several people have made similar comments. What worries me is that they are not also slamming them for storing passwords in plaintext AGAIN. User passwords should not be stored anywhere on the system. You store a salt and hash of the password - this is fine for login, but fairly useless for hackers should they get it.

You don't store just any hash, you should store one that is expensive to compute, by using PBKDF2, bcrypt, scrypt or similar.

Re:Plaintext passwords again? (1)

Bengie (1121981) | about 2 years ago | (#40627461)

Expensive hashes are only good for weak passwords. Users shouldn't have week passwords. Just use a strong salted-hash, that's Good Enough(tm), don't care about slowness.

Re:Plaintext passwords again? (5, Funny)

Anonymous Coward | about 2 years ago | (#40627527)

What's wrong with users changing passwords every week?

Re:Plaintext passwords again? (4, Insightful)

arth1 (260657) | about 2 years ago | (#40627607)

What's wrong with users changing passwords every week?

I'll tell you what's wrong with that: Most users are human, and won't be able to remember their passwords if they change them often. Especially since most people have a handful or more passwords and PINs they have to remember.

Frequent password changes lead to either simplified passwords with a single short element that changes, or passwords that are written down on a post-it note or similar.

The greatest enemy of safe authentication is the CFO. After him or her, it's the user. You have to get both to play ball, and you don't do that by annoying either of them.

Re:Plaintext passwords again? (4, Informative)

Svippy (876087) | about 2 years ago | (#40627663)

What's wrong with users changing passwords every week?

I'll tell you what's wrong with that: Most users are human, and won't be able to remember their passwords if they change them often. Especially since most people have a handful or more passwords and PINs they have to remember.

Frequent password changes lead to either simplified passwords with a single short element that changes, or passwords that are written down on a post-it note or similar.

The greatest enemy of safe authentication is the CFO. After him or her, it's the user. You have to get both to play ball, and you don't do that by annoying either of them.

Correct, but I think he was pointing out that Bengie wrote 'week passwords' rather than 'weak passwords', i.e. I think the post was meant to be humorous.

Re:Plaintext passwords again? (1)

gmuslera (3436) | about 2 years ago | (#40627721)

Will be for most users changing passwords 7 times a week. One for changing it, the other 6 for the "i forgot my password" link. Is a problem, not a solution. One password for each service is bad enough, forcing to change it to something different every week would be killer.

Anyway, that most are 123456 or password, and that the server stored it in plain text or in a format where is easy to obtain the original one puts the problem several layer over the forcing changing it or not one.

Re:Plaintext passwords again? (0)

Anonymous Coward | about 2 years ago | (#40627565)

Expensive hashes are only good for weak passwords. Users shouldn't have week passwords. Just use a strong salted-hash, that's Good Enough(tm), don't care about slowness.

But as we all know, users do use weak passwords.

Re:Plaintext passwords again? (2, Insightful)

Anonymous Coward | about 2 years ago | (#40627665)

Expensive hashes help regardless. You're always in a race against computing power. Take whatever handicaps you can get.

Re:lastpass (4, Interesting)

Runaway1956 (1322357) | about 2 years ago | (#40627447)

You're probably right. What's scary is - the government isn't a whole lot better at this stuff. I seem to recall a recent transatlantic telephone conference, involving multiple "intelligence" and/or "enforcement" agencies that was recorded by the very people being discussed.

Yeah, I really want some alphabet soup dude from Washington looking out for my internet security.

Re:lastpass (1)

mr1911 (1942298) | about 2 years ago | (#40627511)

If the incompetent designers don't get their shit together you're going to see gov't get involved.

That will certainly fix it. I can't wait for a bunch of lawmakers that think SQL is some sort of 'dirty text talk the kids use' to secure us online. No one can be sure what they will come up with, but the odds are pretty strong it would include a full body scan (with the ability to opt-out and get groped by the TSA instead) to get on the internet.

Re:lastpass (4, Funny)

Anonymous Coward | about 2 years ago | (#40627633)

Please, don't be so harsh on SQL Injection victims. It happens all the time, and even to the best developers. Even at Yahoo! Look, between you and me, we at Sony suffered a lot from attacks - allegedly SQLi attacks... but actually, it was something else: you say "guard" against it? We have here the best Javascript developers. Our JS code checks the user input several times, even before it reaches our servers! No, you really don't know what you are talking about.

Re:lastpass (0)

Anonymous Coward | about 2 years ago | (#40627643)

You didn't just lump in Goofy with these incompetent shitwizards, did you?

Re:lastpass (4, Informative)

bedroll (806612) | about 2 years ago | (#40627165)

This wouldn't terribly shock me, but it also wouldn't concern me much if it were to happen. While the data in a Lastpass vault is quite desirable, it's also much more securely stored than your average data set. Even if someone managed to get a dump of their entire data set they'd have to decrypt each vault individually. If you follow their recommendations then your vault is likely not easy to crack.

Most of all, I wouldn't be concerned because as Lastpass has shown in the past they take communications seriously. When they noticed strange traffic they immediately told their users to change their vault passwords. This is different than waiting for a whistle blower to come forward and then announcing the breach, or even waiting until an investigation proves there was no breach. That previous incident may have shook the faith of some, but the way the company handled it increased my faith in them.

Should a major breach happen I would simply change my vault password and then begin changing the passwords I have stored in the vault. Since Lastpass would alert me early on that the breach happened, by the time my vault was cracked - if at all - the passwords within would be useless.

Re:lastpass (1)

hades.himself (1678062) | about 2 years ago | (#40627287)

And yet they keep pushing OAUTH onto us.

Re:lastpass (3, Informative)

Anonymous Coward | about 2 years ago | (#40627297)

Better to use keepass then, because there is no central database of passwords for that.

Re:lastpass (1)

ZombieBraintrust (1685608) | about 2 years ago | (#40627659)

There could be a combined Dropbox Keepass attack. Would have same effect of a lastpass hack.

Re:lastpass (0)

Anonymous Coward | about 2 years ago | (#40627735)

IT is corrupted..... Just sad

Obligatory (0, Troll)

Lumpio- (986581) | about 2 years ago | (#40627015)

I'm more surprised that Yahoo still had almost half a million users.

Re:Obligatory (-1)

Anonymous Coward | about 2 years ago | (#40627051)

Obligatory is a synonym for "redundant". Please mod according to the self-description.

Re:Obligatory (0)

Anonymous Coward | about 2 years ago | (#40627113)

It won't be long until they are forced to rebrand to Ya-who? As they continue their relentless decline into total insignificance...

Re:Obligatory (0)

Anonymous Coward | about 2 years ago | (#40627249)

In the US (5% of the world).

Re:Obligatory (1)

Anonymous Coward | about 2 years ago | (#40627385)

Remember Lycos? Yeah... didn't think so... History provides many examples of firms with shitty management that everybody eventually forgot. Yahoo has just been circling the drain for so long people are starting to believe it could defy gravity.

Re:Obligatory (2)

ElmoGonzo (627753) | about 2 years ago | (#40627569)

About 15 years ago, I had a yahoo email address and managed to lose/forget the password. There was no recourse so I stopped using that account. Hmmm, I wonder if it is one of the ones that got leaked and I can find it now.

Ah, injection attacks.. (5, Interesting)

Rei (128717) | about 2 years ago | (#40627017)

when will people ever learn? And not just SQL injection attacks. I had to actually write a destructive exploit for a popen injection attack on a MMORPG before the rest of the dev team would believe me that it was a serious vulnerability (it had code that if you said a URL, people could click on it... except they were just passing what the user wrote to popen, tacked to the end of your browser-launch string). People just never seem to wrap your head around the fact that you never use raw user input for anything that a parser will look at, at any point in time!

Here's probably the funniest discussion thread on injection attacks [thedailywtf.com] , ever.

Re:Ah, injection attacks.. (4, Interesting)

Simon Brooke (45012) | about 2 years ago | (#40627067)

Here's probably the funniest discussion thread on injection attacks [thedailywtf.com] , ever.

That is indeed funny, in a most terrifying way!

Re:Ah, injection attacks.. (5, Funny)

ArcherB (796902) | about 2 years ago | (#40627085)

People just never seem to wrap your head around the fact that you never use raw user input for anything that a parser will look at, at any point in time!

Here's probably the funniest discussion thread on injection attacks [thedailywtf.com] , ever.

So, can I trust YOUR link?

Re:Ah, injection attacks.. (1)

alphatel (1450715) | about 2 years ago | (#40627147)

So, can I trust YOUR link?

Only an arse would parse the terse farce of vars in pairs.

File (5, Interesting)

Anonymous Coward | about 2 years ago | (#40627019)

Does anyone have a link to the leak? You know, I want to check if my password was leaked.

Re:File (5, Informative)

Anonymous Coward | about 2 years ago | (#40627189)

http://it.slashdot.org/comments.pl?sid=2974701&cid=40627163

Re:File (1)

Amouth (879122) | about 2 years ago | (#40627371)

+1 thanks

Re:File (0)

Anonymous Coward | about 2 years ago | (#40627279)

Just type it in a reply below, like mine.
It will show ******* if it is still there!
******

Re:File (5, Funny)

HyperQuantum (1032422) | about 2 years ago | (#40627335)

hunter2

Re:File (1)

amw (636271) | about 2 years ago | (#40627403)

*******

Did you mean to type those?

Re:File (2)

Rude Turnip (49495) | about 2 years ago | (#40627411)

You just typed *******

Re:File (1)

broggyr (924379) | about 2 years ago | (#40627513)

I sure hope this is meant as a WHOOSH

Re:File (2)

broggyr (924379) | about 2 years ago | (#40627555)

Shit. Looks like I've been whooshed lol

how about checking (2, Informative)

Anonymous Coward | about 2 years ago | (#40627295)

how about checking more than just this leak...

have a look at http://bit.ly/rosGrL

regards

John Jones

Re:File (1)

Chessphoon (842886) | about 2 years ago | (#40627325)

This page lets you check your email address to see if it is part of the leak: http://www.afterdawn.com/yahoo_password_leak.cfm [afterdawn.com]

Re:File (1)

Anonymous Coward | about 2 years ago | (#40627355)

Does it say "Now it is!" when you submit yours?

Re:File (2)

N0Man74 (1620447) | about 2 years ago | (#40627687)

I'm paranoid, so I wondered the same thing about these "enter your address" lists on the 2 sites (that I had never heard of before) mentioned here.

However, it works with partial search too. You don't have to have the entire address to match.

Google for it? (1)

k(wi)r(kipedia) (2648849) | about 2 years ago | (#40627353)

Try it. Requires some G-fu but the https:/// [https] URL is discoverable within minutes.

Re:File (4, Informative)

dsinc (319470) | about 2 years ago | (#40627685)

https://d33ds.co/archive/yahoo-disclosure.txt [d33ds.co] The server is belly up, though, as I write this (7:15am PDT). Please mirror, if you can get your hands on the list. Another list of the compromised accounts (search enabled, no passwords), is here http://dazzlepod.com/yahoo/ [dazzlepod.com]

Re:File (4, Informative)

Thelasko (1196535) | about 2 years ago | (#40627775)

Does anyone have a link to the leak? You know, I want to check if my password was leaked.

Here you go. [dazzlepod.com]

who uses yahoo (0)

Anonymous Coward | about 2 years ago | (#40627043)

450000? so about 15 are real email accounts that people use.

Re:who uses yahoo (3, Informative)

Zaiff Urgulbunger (591514) | about 2 years ago | (#40627409)

450000? so about 15 are real email accounts that people use.

I only skimmed TFA and it seemed to indicate that these were probably related to the Yahoo! Voice service... whatever that is.

As for their email, probably quite a lot of people do use it as some ISPs use Yayhoo! to supply their own-branded email. BT Internet in the UK for one anyway.

common security pratics ? (5, Interesting)

Rachael (244242) | about 2 years ago | (#40627049)

Seems to be common pratics that sites store plaintext password this days, one would think the programmers knew better, is it in an attempt to try and speed optimize things, they leave out hashing ?
Or is there a more sinister reason, someone twisting their arm around.

Re:common security pratics ? (4, Interesting)

Kyrene (624175) | about 2 years ago | (#40627069)

Once worked in a place where the "architect" swore up and down that his "philosophy" was that if people were to hack into the database, they wouldn't then get the keys to the account, they'd go for other details like credit cards and what-not, so there was no reason for encryption. Very glad I'm not working there anymore because arguing with him was useless. Once his mind was made up, that was that.

Re:common security pratics ? (1, Insightful)

shentino (1139071) | about 2 years ago | (#40627137)

The only answer is that if the guy who owns the fucking playground doesn't want you on their toys, leave.

Re:common security pratics ? (4, Insightful)

Rei (128717) | about 2 years ago | (#40627079)

I think in most cases, they honestly don't know any better, followed by as the next most likely reason, they were too lazy. Sinister reasons is probably number three. I doubt optimization makes the top 10.

Re:common security pratics ? (0)

Anonymous Coward | about 2 years ago | (#40627581)

I wrote my first php/mysql application about 3 months ago, and even I knew better. So I think you have the first 2 mixed up: In most cases, they were just too lazy.

Subsuently, posted this as AC, because I'm too lazy to login...

Re:common security pratics ? (4, Insightful)

arth1 (260657) | about 2 years ago | (#40627715)

I think in most cases, they honestly don't know any better, followed by as the next most likely reason, they were too lazy.

Never underestimate the push of S&M to get things out the door, not as soon as possible, but earlier than that. Waiting days or weeks for proper authentication to be implemented and tested means days or weeks without sales bonuses for them. They'll likely be long gone by the time anyone breaks in anyhow.

It doesn't matter much if the developers and technical admins say that it's sheer lunacy if the CFO says you need to release nao because S&M told him so.

It's even worse in companies that work on a project model where they move all devs and techs who know the project off it at release, without ever looking back. Then it's a certainty that it'll never get fixed.

stinking unions (5, Funny)

reasterling (1942300) | about 2 years ago | (#40627075)

they managed to access the subdomain by leveraging a union-based SQL injection attack.

So, the republicans are right. Unions are evil. ;)

I've used yahoo voice in the past (2)

circletimessquare (444983) | about 2 years ago | (#40627083)

Just changed my password.

Thanks Slashdot, seriously.

Re:I've used yahoo voice in the past (1)

sticks_us (150624) | about 2 years ago | (#40627231)

Just dumped all my yahoo accounts (had two spam accounts and one personal account).

I've had them since the late 1990s, and while I hate to kick someone while they're down, the service has only gotten worse lately--spam, unwanted yahoo! instant messenger robot requests, "Temporary Problems Accessing Your Account" messages--the whole deal.

This kills it for me. I interviewed with Yahoo! about six years ago (didn't make it past the second cut, so yeah, I'm a moron) and being VERY impressed with how smart their teams were. Wonder if all the good ones left or got fired somewhere. Too bad, really.

Sorry guys, but thanks for the great 15 years!

Re:I've used yahoo voice in the past (2)

circletimessquare (444983) | about 2 years ago | (#40627407)

did you use yahoo voice? only yahoo voice customers were affected

not that this story shouldn't change your opinion of yahoo, and therefore dumping them is a good choice on your part

i'm just saying the article specifically mentions yahoo voice customers as the victims, which i was about 2 years ago, but, if you weren't, you should be ok

That explains things (4, Interesting)

halcyon1234 (834388) | about 2 years ago | (#40627089)

That explains why, about a month ago, I got a whole rash of "omg funy click here" spam mails for friends with yahoo email addresses (and only yahoo email addresses). I wonder how recent this password dump is. I might have to recommend another round of reset-to-something-complex. My first recommendation was STOP USING YAHOO FFS!, but no one does that =(

Re:That explains things (1)

unixisc (2429386) | about 2 years ago | (#40627199)

Thanks for saying what it was. A month ago, I saw a whole bunch of message unsuccessful to everyone in my contact, which actually is a huge number since I have all job contacts there. Two or three people told me that I was infected w/ a virus. I used Thunderbird at the time as my e-mail client, but following this, I changed my password. I recognize that I may have to migrate this account, but it has too much of stuff to make it a trivial exercise. And since I use plenty of folders, Gmail won't do here.

This was scary, b'cos I thought my PC might have a virus, despite the anti-virus that I have. And the auto-signature that Yahoo! attaches every time makes one pause to wonder.

If it was just my personal e-mail to a few family members & friends, switching would be no big deal. Unfortunately, in my case, it's the e-mail that I use for all my job contacts, bank info contacts and so on, so changing all that is by no means trivial.

Re:That explains things (4, Informative)

deicide (195) | about 2 years ago | (#40627237)

And since I use plenty of folders, Gmail won't do here.

Gmail works fine with folders. You can set up Thunderbird with Gmail's IMAP and then drag/drop your Yahoo folders onto it to migrate all your old mail.

Re:That explains things (1)

Runaway1956 (1322357) | about 2 years ago | (#40627547)

Your antivirus only protects you from old, obsolete viruses. It doesn't protect you from anything current. Go to infectymypc.com and check it out!

Re:That explains things (0)

Anonymous Coward | about 2 years ago | (#40627251)

I saw that start right after the twitter password grab. It was most certainly for those that used the same password for both. An added wrinkle was that when I was assisting some people after that, their online administration password had been changed but not the pop/smtp ones for those that had email addresses from the companies that had partnered long ago, sbc, bellsouth, etc. So they had to call customer support to change passwords if they had not added extra password protection during all the sbc/yahoo/att churn over the years.

TWO moronic 'Americanisms' in one sentence! (-1)

Anonymous Coward | about 2 years ago | (#40627091)

"which made the site return more information that in should have"

THAT

IN

Huh?

Fucking Americans.

It's THAN IT should have - you morons.

First you start using 'that' and 'then' instead of 'that', and now you not only do that, but you use 'in' instead of 'it' - and NOBODY here noticed! You morons!

Re:TWO moronic 'Americanisms' in one sentence! (4, Insightful)

Dog-Cow (21281) | about 2 years ago | (#40627215)

You are not an idiot. Idiots are brilliant in comparison to what you are.

Re:TWO moronic 'Americanisms' in one sentence! (1)

Runaway1956 (1322357) | about 2 years ago | (#40627567)

Is that a nice thing to say about an obsessive compulsive anal retentive person?

Re:TWO moronic 'Americanisms' in one sentence! (1)

DynamoJoe (879038) | about 2 years ago | (#40627533)

Hey, you're right. You're a nobody and you noticed. Attaboy, AC!

From Mikko Hypponen (1)

Orm (23588) | about 2 years ago | (#40627119)

"I'm really surprised that Yahoo leaked 450,000 user passwords. I had no idea Yahoo still had that many users." (link) [twitter.com]

"Had another look at the latest Yahoo password leak. There are two users with the password 'hunter2'. (See QDB: http://bash.org/?244321 [bash.org] )" (link) [twitter.com] .

This company 'd33d' (0)

Anonymous Coward | about 2 years ago | (#40627131)

First they sound a bit on the childish side with the silly name, second - why do they do it? They aren't getting money from this are they?
Can someone explain this?

Re:This company 'd33d' (4, Insightful)

ledow (319597) | about 2 years ago | (#40627291)

1) To show they can
2) To make Yahoo look bad (and boy should they look ashamed at the moment!)
3) To highlight a security flaw that Yahoo may have been knowingly ignoring
4) Because they stumbled across it and realised they COULD dump all the passwords and then it snowballed.

Or a million and one other reasons. Hell, I've found sites where I could have done all sorts of damage via SQL. Not everyone is nice enough to inform them and if you inform them and are ignored ("nobody would ever try to do that on our live website, so we won't fix it"), would you rather someone else found out, or you forced that site to tighten up?

Just think - if they hadn't done it, 450,000 people would have their emails and passwords floating around on hacker forums eventually anyway and it wouldn't make the news at all.

File here: (5, Informative)

Anonymous Coward | about 2 years ago | (#40627163)

http://d33ds.co/archive/yahoo-disclosure.txt

Slashdotted, more info here:
http://dazzlepod.com/yahoo/

SQL Injection, in this day and age?

Fuck yahoo, fuck the cloud, fuck all the big providers...

Re:File here: (1)

jonwil (467024) | about 2 years ago | (#40627277)

Thanks for that link, looks like my password was not stolen.

Re:File here: (3, Insightful)

ledow (319597) | about 2 years ago | (#40627345)

Because not having your password appear on a single leaked list of a limited number of usernames hacked from Yahoo by an SQL injection from a public site from an unhashed database is obviously reason to just relax and know that everything is okay.

Who cares if you're on the list? If you're using Yahoo, change your password, change your account, change your online service provider to anything but Yahoo.

SQL injection on public sites with unhashed passwords stored in open databases. This is like saying "Hell, my house wasn't burgled this week - Phew! I can continue using the security company whose alarms don't work, their security personnel never arrive and they leave all my doors unlocked!"

Yahoo Mail? (1)

Jason Levine (196982) | about 2 years ago | (#40627205)

Does this include Yahoo Mail accounts?

I know that, awhile back, my account was logged into from some other country (someplace in South East Asia, IIRC) and a bunch of spam links were sent to my contacts. I had a complex password and they didn't change any information. (Odd, since I thought one of the first things a hacker would do is change the password to hold onto the hacked account.) I changed my password and sent folks notice about the hacking. (No, I didn't click on any links or run any programs that would have caused this. I'm extremely careful about security.)

Months later, for a few weeks, I kept getting notices about someone trying to reset my Yahoo Mail password. I kept a close eye on the situation, but it never seemed to progress beyond trying to use the password reset tool to get into my account.

I don't even actively use my Yahoo Mail address anymore. Over the years, it got too clogged with spam and I much prefer GMail. Still, I keep it around just in case.

Re:Yahoo Mail? (2)

ledow (319597) | about 2 years ago | (#40627239)

I don't know, it seems to be quite limited. There's tons of gmail and other domain addresses in there. I think it could be either what you signed up to Yahoo Voice as, or what you signed up to Yahoo as and they only got some addresses before they got caught (or aren't posting all the adddreses they captured).

There's even a few old Geocities addresses in there, which were later changed to "username.geo@yahoo.XXX" addresses when Yahoo took over:

http://dazzlepod.com/yahoo/?email=.geo%40yahoo [dazzlepod.com]

If nothing else, given their lax security and data protection (Completely unhashed passwords? Really?), I'd change any account password on a Yahoo account, and any password on an account you've used on Yahoo (e.g. if you've plugged your GMail or messenger or any address into your Yahoo acccount for whatever reason - e.g. POP3 collection of other accounts or whatever).

Still don't know my yahoo password... (0)

Anonymous Coward | about 2 years ago | (#40627207)

My yahoo password has been forgotten for some time now and I can't remember any of the "registration details" that I used to make it anonymous, so a reset is also not impossible. I was hoping that maybe this password dump would help me out but no... they didn't dump the password to my account... grmpf!

The alternative is worse (1)

XB-70 (812342) | about 2 years ago | (#40627245)

Having my password leaked online with all the potential that that holds is far less abusive than what Yahoo! does with the information in my emails.

something missing? (2)

issicus (2031176) | about 2 years ago | (#40627269)

im sorry, maybe i missed something, how do i know if my password was stolen ? also YELLING isnt always a bad thing CAPS.

xkcd reference... (1)

jelle (14827) | about 2 years ago | (#40627323)

Obligatory xkcd reference

http://xkcd.com/327/ [xkcd.com]

Am I missing something...? (1)

Assmasher (456699) | about 2 years ago | (#40627351)

I presume that you cannot actually reach the DB directly (it is shocking how many people in smaller companies have their DB actually in their DMZ), so they must be pushing the SQL injection through an actual Yahoo API, right?

How hard is it to evaluate a string for potential danger?

Surely API calls can be divided into context and 'grammars' of a sort, then these API calls can identify whether a given string is more or less likely to be a threat by keywording, if anything is suspicious (and at this level there will likely be a lot of false positives) you perform a more thorough evaluation based upon the context of the call, and so on...?

Anybody out there do this for a living? Insights please :)

Re:Am I missing something...? (1)

TheNinjaroach (878876) | about 2 years ago | (#40627459)

How hard is it to evaluate a string for potential danger?

If you are evaluating a string for danger, you're doing it wrong.

I'm starting to think that web developers should be licensed before they're allowed to generate a single statement of SQL.

Re:Am I missing something...? (1)

Assmasher (456699) | about 2 years ago | (#40627491)

I'm not sure I understand where you're going with this, I evaluate ALL external input (not just from users) for danger.

I'm not a web developer though (mobile/thick client/enterprise only) which is why I asked if I was missing something since this seems trivial to do...

Re:Am I missing something...? (0)

Anonymous Coward | about 2 years ago | (#40627635)

I'm not sure I understand where you're going with this, I evaluate ALL external input (not just from users) for danger.

I'm not a web developer though (mobile/thick client/enterprise only) which is why I asked if I was missing something since this seems trivial to do...

"Evaluate for potential danger" sounds like it's searching the string for certain characters. The proper way to do it is to escape strings before using them in SQL statements. Or even better, to use a library that does it all for you so that you don't get caught out by some obscure syntaxes you didn't think about.

Re:Am I missing something...? (2)

drkstr1 (2072368) | about 2 years ago | (#40627821)

Not all dangers can be known, so it is better to parse for what you need (white list), and use it as data in a type safe command (ORM, stored procedure, etc). This insures that only operations that will run are the ones you have written yourself.

Re:Am I missing something...? (4, Informative)

JDG1980 (2438906) | about 2 years ago | (#40627469)

How hard is it to evaluate a string for potential danger?

Pretty hard, if you don't want to corrupt user data. A botched attempt to do so is how the bogus word "medireview [wikipedia.org] " was created.

What they really should be doing is using parameterized queries [codinghorror.com] so that the user-input strings cannot be treated as SQL commands, but will always be treated as data.

Re:Am I missing something...? (1)

Assmasher (456699) | about 2 years ago | (#40627677)

I didn't say "correct potential danger", I said "evaluate." Replacing things is (a la medireview) is a flat out stupid approach anyhow, lol (thanks for the link - it made me laugh.)

I agree that everyone should use parameters instead of string concatenation, but that doesn't make things safe, it just makes them a little bit safer. Parameters don't help if someone passes the user name "';drop table important_table"

ALL input MUST be sanitized whether you use parameterized SQL or not; ergo, you must evaluate the data in some context.

Passwords link (0)

Anonymous Coward | about 2 years ago | (#40627399)

Passwords, 17MB, do not open, save as instead

http://d33ds.co.nyud.net/archive/yahoo-disclosure.txt

Not to worry... (0)

Anonymous Coward | about 2 years ago | (#40627401)

Nothing of value was lost, ask any insurance company.

how many passwords? (0)

Anonymous Coward | about 2 years ago | (#40627415)

Technically, it was around 4500 unique passwords. The remaining half million oddly enough were all "free2rhyme"...

slashdotted? (1)

synapse7 (1075571) | about 2 years ago | (#40627489)

Lots of sites are reporting this, and apparently enough ppl still have yahoo accounts that they care enough to change the password on, I wasn't able to login.

Re:slashdotted? (1)

synapse7 (1075571) | about 2 years ago | (#40627603)

I was able to get it. Is it possible to change the site to prefer SSL?

Password Recoevery (1)

Fls'Zen (812215) | about 2 years ago | (#40627537)

Maybe my 1990s-era Yahoo account password was leaked--I'll finally be able to regain access to my account!

Unencrypted? Meaning plain text? (0)

Anonymous Coward | about 2 years ago | (#40627575)

I think the real news is Yahoo stores passwords "unencrypted", though one rarely does encryption for passwords just hashing. Maybe the story meant they are stored "unhashed" or "plain text".

And another! (1)

wicka_wicka (679279) | about 2 years ago | (#40627611)

I'm starting to think I should just not have an account anywhere. That's hyperbole, of course, but there's a new hack every week and I don't have a good enough memory to use completely unique passwords for every account.

sigh.... anyone found it yet (1)

TheCarp (96830) | about 2 years ago | (#40627651)

I did some quick looking around but, can't find a link to the actual list of accounts and passwords. Anyone found it?

Seems to me that just a few months ago, before pastebin got their panties in a bunch about password lists, it was a lot easier to check and see if your accounts are on the list.

Not even sure if mine are, or if any are that I care about, most of them, I think, have good passwords but fuck, it would be nice to know. Hell, there is no garauntee that even a good password doesn't hash to the same thing as some bad one that ends up in the rainbow tables.

Shit even just a list of accounts without the passwords would be nice...though.... it is always fun to laugh at other people's passwords. Actually, I know for a fact that my "insecure password" that I use for free throwaway websites is used by someone else because of leaks like this.

Now we wait... (0)

hesaigo999ca (786966) | about 2 years ago | (#40627655)

...for the yahoo stocks to plummet until they go bankrupt.

Funny how there's no list this time. (1)

multicoregeneral (2618207) | about 2 years ago | (#40627697)

Usually, when you see one of these happen, you can find a list somewhere, so you can see if you're on it. I can't seem to find the actual list this time. Does one exist?

Cleartext?? (1)

ternarybit (1363339) | about 2 years ago | (#40627731)

Sure, SQL injection shouldn't work, but it wouldn't matter as much if Yahoo hashed passwords in bcrypt or similar. Why the hell do they store cleartext passwords in a database?

BTW, the file is called yahoo-disclosure.txt.

Now maybe I can get the passwd my old account! (1)

Ricochet (16874) | about 2 years ago | (#40627767)

Dang I can't recall the last time I logged in there but I do recall that I had forgotten the password. Now maybe I can log in again. Hmm wonder what my aol, compuserve and Prodigy passwords are too?

And I don't mean Young (1)

Impy the Impiuos Imp (442658) | about 2 years ago | (#40627865)

Stickin' it to corporations is one thing, but huge numbers of people? Didja never see the end of Frankenstein?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...