Yahoo Hack Leaks 453,000 Voice Passwords

  /     /     /  
Publicated : 22/11/2024   Category : security


Yahoo Hack Leaks 453,000 Voice Passwords


Yahoo passwords were stored unencrypted and stolen via a SQL injection attack, attackers claim. Meanwhile, Formspring resets passwords for 28 million users after a password breach.



Who Is Anonymous: 10 Key Facts (click image for larger view and for slideshow)
Yahoo Voices users: Change your Yahoo password immediately.
A hacker or hacking group that bills itself as D33Ds Company Thursday leaked what it said were plaintext passwords for 453,492 Yahoo accounts, as well as over 2,700 database table or column names, and 298 MySQL variables. D33Ds said it obtained the data by executing a
SQL injection attack
against an unnamed Yahoo subdomain, which security experts have identified as being Yahoo Voices.
We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat, read a note included in the password dump. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.
[ It has been a bad week for Yahoo when it comes to security issues. Read
Yahoo Defends Android App, Botnet Questions Remain
. ]
A Yahoo spokesman said that the company is currently investigating the alleged password leak. We are currently investigating the claims of a compromise of Yahoo! user IDs. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at
security.yahoo.com
, he said. At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.
According to security researchers, the leaked data came from the Yahoo Voices service. Thats because, while most subdomain details were excised from the data dump, the attacker forgot to remove the hostname dbb1.ac.bf1.yahoo.com (credit to Mubix for the hostname find). Looking through a variety of sources, it appears that the compromised server was likely Yahoo! Voices which was formally known as Associated Content, according to Trusted Security. But according to the
Guardian
, the last entries in the data dump
link to IDs created in 2006
, suggesting that the password list may date from that time.
Yahoo bought Associated Content in May 2010 for $100 million, then renamed the service as Yahoo Voices. Which Yahoo Voices users have been affected by the breach? The Dazzlepod website has collected a
searchable list
of affected usernames and email addresses.
The Yahoo Voices password breach follows recent
password breaches involving LinkedIn
, as well as
eHarmony and Last.fm
. All of those breaches came to light only after stolen password hashes were posted to online forums. Unlike LinkedIn, eHarmony, and Last.fm, however, according to D33Ds, Yahoo wasnt even
hashing its passwords
. Instead, it said theyd been stored in unencrypted format, which would mean that Yahoo had fumbled a crucial information security best practice.
In online forums, some posters posited that the plaintext passwords may date from Yahoos acquisition of Associated Content in 2010. Most likely a dump of old tables before authentication was migrated to login.yahoo.com. Shouldve dropped these tables after the migration, said mathrawka, who claimed to have previously been a developer involved with Yahoos single sign-on system, in a post to Hacker News.
If--as D33Ds Co. claimed--Yahoo was storing passwords in
plaintext format
, privacy experts foresee FTC sanctions. Notably, privacy researcher Christopher Soghoian
said via Twitter
that theres a strong chance of FTC deception case re: Yahoo password breach via claim it maintains reasonable electronic safeguards, and referenced Yahoos privacy policy. The first line of that policy states: Yahoo! takes your security seriously and takes reasonable steps to protect your information.
According to Soghoian, the
FTCs complaint against RockYou
, from which an attacker
obtained and leaked 32 million passwords
, focused on RockYous privacy policy, which promised that RockYou! uses commercially reasonable ... safeguards to preserve the integrity and security of your personal information. But the FTC alleged that RockYous actual security safeguards werent reasonable, in part because the website had failed to protect its website from ... commonly known or reasonably foreseeable attacks from third parties attempting to obtain access to customer information stored in [RockYous] databases.
SQL injection attacks are one of the
most common types of attacks
used to compromise websites and databases, and a favorite of hacktivist collectives,
including Anonymous
. Such attacks work by
injecting SQL commands
into databases. When databases dont properly screen such inputs for signs of attack, attackers have an easy-to-use technique for obtaining sensitive information from databases. A variety of freely available
automated SQL injection attack tools
further simply the process.
The Yahoo Voices password breach leak comes just one day after reports that 420,000 password hashes from question-and-answer website Formspring had been posted to a hacking forum. We learned this morning that we had a security breach where some user passwords may have been accessed, said Formspring CEO Ade Olonoh in a
blog
posted Wednesday. In response, the company disabled passwords for all of its 28 million users.
We apologize for the inconvenience but prefer to play it safe and have asked all members to reset their passwords, said Olonoh. Users will be prompted to change their passwords when they log back into Formspring. He also detailed
recommendations for creating strong passwords
.
Later Wednesday, Olonoh posted additional details about the attack. We found that someone had broken into one of our development servers and was able to use that access to extract account information from a production database, he said. We were able to immediately fix the hole and upgraded our hashing mechanisms from SHA-256 with random salts to
Bcrypt
, to fortify security. We take this matter very seriously and continue to review our internal security policies and practices to help ensure that this never happens again.
Formspring has been forthright about rapidly notifying users of a breach, detailing the problem, as well as immediately putting in place a solution. Will Yahoo follow suit?
Editors note: Corrected spelling of D33Ds hacker group.
Employees and their browsers might be the weak link in your security plan. The new, all-digital
Endpoint Insecurity
issue of Dark Reading shows how to strengthen them. (Free registration required.)

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Yahoo Hack Leaks 453,000 Voice Passwords