Get in Touch

  • Email Us
  • INTL 001.562.252.3789
    USA 800.430.4095
Hal Licino

Yahoo Leaves 450,000 Passwords Unencrypted & Gets Hacked

Jul 18 2012, 10:54 AM by

The world at large views the huge internet conglomerates as monolithic temples to technological wizardry and fail to realize just how many of these household names are actually nothing more than fogs of confusion and ineptitude. This point is driven home whenever a major hack is revealed via security holes in their fundamental IT infrastructure that an entire aircraft carrier could have been sailed through… sideways.
The Passwords Were Stored in Unencrypted Plain Text
The latest “whoops moment” occurred when nearly 450,000 users of Yahoo’s email services had their passwords and addresses leaked due to a breach in security. Yahoo recently confirmed this worrisome news but to mollify their critics added that only five percent of what was stolen was actually valid information. A statement released by the company relayed that hackers to the Yahoo Contributor Network (a platform for sharing content) found an older file and proceeded to access it.

The email addresses and passwords that had been stolen included some of Yahoo’s personal services for email and many from additional companies. The aspect that most disturbed industry observers is that these passwords were stored in plain text with no encryption whatsoever… which would seem to be the most fundamental and basic precaution that a company such as Yahoo could have taken with such critical personal data.
The Horse Is Now Fleeing across the Cyberfield
Now that the horse is fleeing across the cyberfield leaving the opened barn door behind him, Yahoo reported that the vulnerability issue that resulted in the disclosure is being fixed and that users who were affected are getting their passwords changed. Additionally, the company has notified other companies to inform their users that their accounts could have been compromised. The statement released by the company also relayed apologies to all users who had been affected.
A Bunch of hax0rs Getting Their lolz
Various tech news sites have identified the hackers as a group called the D33D Company, registered in the Ukraine with a typically fake phone number and invalid email address. The group is previously not well known and has been quoted as saying that they were responsible for stealing passwords that were unencrypted through the use of an SQL injection. This is a procedure commonly used to attack websites through the process of rogue commands that extract information from any location that is vulnerable. Hackers often attempt to place a veil of legitimacy over their criminal actions and D33D is no exception. The group stated that they hoped the responsible parties who managed security for the sub-domain would take the attack as a wake-up call. This is typical of hackers who claim that they are freelancers altruistically working to improve the state of internet security as a whole, rather than a bunch of hax0rs getting their lolz.
Yahoo Failed Here
In this case, however, the website violators may have had a point. Experts in online security reported that Yahoo could have taken more steps in an attempt to protect stored information. TrustedSec described Yahoo’s failure to encrypt the data as “most alarming,” while Eurosecure stated that “Yahoo failed fatally here.” This is not the first time that Yahoo has been charged with dealing with its users’ passwords in a cavalier manner bordering on the absurd.

Earlier this year, the company turned over to the University of Cambridge 70 million user passwords for a statistical analysis. According to Eurosecure, had Yahoo implemented industry standard best practices they would not have been able to just compile a list of passwords and send them out, as the hash cryptography and salt randomization would have prevented it. This points to a far more profound lack of security deep within Yahoo, and certainly one that should be a concern to any Yahoo user.

Even in light of all these hacks, users are still using absurdly simple passwords. The top three passwords exposed in the hack were 123456, password and welcome! But even the most complex passwords are useless if the various sites we trust leave them essentially out in the open.

Posted in Current Events, Tech Editorial

Related Blogs


Lynn Dalsing

Jul 20 2012, 04:15 PM

Thanks for the post! I was caught up in this (with my gmail account no less!). A great resource for checking if your email was affected is: http://dazzlepod.com/yahoo/. I was incredibly impressed with Soap.com, Twitter, and Amazon for quickly sending out a note to me because they were concerned that I might have used the same password on those sites as the one that was hacked. Kudos to their email teams for being on the ball.