Another bad day for passwords at Yahoo

Yahoo confirmed today that a bunch of passwords — more than 450,000 of them, to be exact — have been stolen. The breach of Yahoo’s servers was supposedly the work of a group of hackers that called itself the D33D Company, saying in a post that the action was meant to wake up Yahoo’s computer security team and not for malicious purposes. As data breaches go, the number of accounts compromised wasn’t that large. Earlier this summer, LinkedIn suffered a breach that compromised the passwords of some six million of its customers. In LinkedIn’s case, the passwords were stored in a marginally scrambled state — not strongly encrypted as they should have been, but in a mixed-up state, using an old, easy-to-break hashing technique known as MD5. In the case of Yahoo, the passwords are said to have been stored in raw plaintext, which anyone with even the slightest bit of training in IT security knows is a no-no. If that is indeed how these passwords were stored, then Yahoo has some explaining to do. The attack itself seems to have been carried out using a favorite old hacker technique known as an SQL injection. Basically, a Web application sitting on top of a database is tricked into serving up information because it hasn’t been told not to answer queries for it. In this case, according to Kyle Adams, chief security architect for Mykonos Software, a unit of Juniper Networks, the attack was a variant of SQL injection known as a Union Based attack, in which the database hands over hundreds of passwords in a single go. Since it only takes a small number of requests to yield a lot of information, they’re hard to detect. Yahoo is in damage-control mode. It said in a statement that it “takes security very seriously,” and pointed out that fewer than 5 percent of the Yahoo accounts involved had valid passwords. If that’s the case, then there’s a good chance that many of the passwords its database handed over are expired. Also, there’s no mention of the email addresses and passwords being stored in plaintext, but I doubt there will be. Here’s Yahoo’s full statement: “At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to all affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.” As you can imagine, security research companies are running fast and furiously to analyze the attack and the data that’s been published so far. I got one interesting file from the people at Rapid7, with whom I talk from time to time. Large numbers are usually an abstraction. If someone says a half-million accounts have been compromised, you can imagine the scale, but it’s harder to get your head around how many people’s accounts may actually be involved. Rapid7′s researchers put together a file with the number of domains seen in email addresses of the compromised accounts: There are 35,000 of them. Below is a list of the top 100 or so which had at least 100 addresses appear in the list. The number to the left is the number of accounts from the given domain. For context: If what Yahoo says is true and only 5 percent of the Yahoo accounts on this list were paired with still-current passwords, then that works out to 6,878 Yahoo accounts compromised. If that rate remains consistent across the entire list, then we’re talking a total of about 23,000 accounts. Rapid7 also shared with me the most common passwords seen in the file taken in the breach. The most common among them? 123456. Yes. Really. The list of passwords, including the number of each found in the list, is after the list of domains.