0

If the news that the Yahoo! Contributor Network user-generated content site has been breached and more than 450,000 usernames and passwords compromised as a result wasn't bad enough, look behind yesterdays headlines and the situation is revealed to be much, much worse. If you were one of those folk who signed into the Yahoo! Contributor Network with your Gmail or Hotmail credentials, then those accounts are also obviously now compromised.

dweb-yahoohack

The D33Ds Co hacker collective has published a file containing all the login data from the breach, which appears to have been as simple as the most basic of SQL injection exploits. No, seriously: Yahoo! (one of the biggest Internet brands on the planet) appears to have fallen victim to one of the easiest of all security vulnerabilities to defend against.

If that wasn't bad enough, the login data of paired usernames and passwords also appear to have not been encrypted and just sat there on the database in plain text format. At least the LinkedIn breached passwords were hashed, if not salted, whereas Yahoo! apparently couldn't even be bothered with basic encryption of any kind.

It's not even that Yahoo! can blame the Associated Content site that it acquired for $100 million and turned into the Yahoo! Contributor Network for the lax security measures. That acquisition was two years ago now, plenty of time for Yahoo! to have sewn it up tight. The statement from Yahoo! that "we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products" really doesn't seem to quite gel with this particular episode I'm sorry to say.

Yahoo! itself claims that no more than 5% of the published logins are current, but even if those claims are correct that would still leave 22,500 folk at risk. And anyway, this breach goes beyond just being a case of 'your breach was bigger than mine' as any breach of any size is a security lapse too far. Plus, of course, as I've hinted at already the breach also puts other system logins at risk. A quick analysis of the hacked file would seem to suggest more than 100,000 Gmail accounts are included, and more than 50,000 Hotmail accounts.

The usual advice applies: if you have ever used the Yahoo! Contributor Network service, or the Associated Content site before it, change your password. If you have ever logged in with your Gmail or Hotmail accounts, then change those as well. And do it now.

Rob Rachwald, Director of Security Strategy at Imperva, says "Sadly, this breach highlights how enterprises continue to neglect basic security practices. One would think the recent LinkedIn breach would have encouraged change, but no. Rather, this episode will only inspire hackers worldwide".

You can check if your email address appears on the list of hacked accounts using this tool.

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

6
Contributors
5
Replies
7
Views
5 Years
Discussion Span
Last Post by juliasrobert
1

It's really no surprise considering that Yahoo Messenger is as bugged and easy to hack. And they wonder why they are going down...

0

security breach is one of the most sought after question on our online world. this is a shame for google.

0

So basically with all the leaked private information, logins, passwords, etc, do we still need cloud? Maybe a law should be created to compensate the users(victims), in case of data breach. Simple sorry is not enough for me as it is starting to be a mayor problem and companies are not learning from mistakes of other companies until it is too late for them. But they are doing the opposite, hiding the leak, saying it is unimportant or throwing the problem on other 3rd party companies.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.