Despite of the state Yahoo! is in I find it very hard to believe that a company like Yahoo! would store it's passwords in plain-text. In addition, doesn't yahoo voice uses the Yahoo single sign on, that would mean that there is a very good chance that the central authentication server and not yahoo voice is authenticating the user and the password doesn't even touch yahoo voice. Of course, there is a possibility that Yahoo uses a simple API based authentication for own apps and the architect took the easy way out and just stored the plain-text password.
If it wasn't in such credible news source I would have found the entire thing very hard to believe.
Ex-Yahoo here. Anything on the yahoo.com domain uses the single sign on service. Yahoo doesn't distribute login cookies for the yahoo.com domain any other way.
That being said, the passwords are NOT stored in plain text. And individual properties don't get direct access to the user database. It's done through libraries and protocols with extremely restrictive ACLs. And one of the options isn't: "give me this user's password in plaintext".
Even if a Yahoo! property wanted to store user passwords, they couldn't. Every Yahoo! user logs in from login.yahoo.com.
Having a good understanding of how Yahoo!'s security is set up, I don't see how any of this is possible.
EDIT: It's starting to look (to me) as if those users got phished.
Yes, you'd be surprised how sophisticated these folks are. Yahoo! has so many layers of security in place in their infrastructure that to have any large scale attack I'd imagine you have to have some sort of insider info.
Ex-Yahoo as well... there's a lot of stuff Yahoo did poorly on the executive/management side, but a lot of engineering processes and decisions were very well handled. All the security decisions went through the Paranoids, and they did a great job, so there is no way Yahoo would have let plaintext passwords exist in their infrastructure.
Sadly a lot of prominent websites choose to store passwords in plain text or with a reversible encryption. It not until a hacker dumps their db or someone exposes it, we come to know about it. For me, I was really surprised to find even Discover Bank storing their customer's passwords in plain text. I did a write up about it: http://www.techflock.com/discover-card-storing-passwords-in-...
There is a review process by a disinterested internal party that's given licence to shoot anything down that isn't secure enough by their standards, so I agree with the parent poster that this is unlikely (but not impossible, if someone was doing something really stupid).
I agree that a lot of websites store passwords in plain text. Mostly it's because these companies are not technical. They have IT departments but are companies like a bank (As in the case of Discover, or hardware manufacturers or govt. agencies). I just hold a tech company like Yahoo to a much higher standards.
In addition, a little bird told me that these passwords are not being accepted by the yahoo servers. The whole thing doesn't pass the smell test.
I used to work on the login system for Yahoo! and find this to be not 100% true. Passwords were never stored in plaintext, even the log files went through a library that would mask any passwords or sensitive information if it was sent over HTTPS in plaintext.
I would still trust Yahoo! to not leak my password ala LinkedIn.
I'm ex-Y! as well, but do you any basis for "I find this to be not 100% true"?
Is there any possibility of someone someone caching the details for convenience's sake on login, and said service not going through the Paranoid review process? I haven't done this personally, but I have had to work with some absolutely dreadful internal APIs that I needed to cache information from out-of-band to make them usable.
(In all fairness, though, I'm find it hard to believe this report. I'll guess we'll find out the truth pretty soon.)
I suppose a rouge developer can show their own login dialog box, but that is such a hack and should be pointed out by their boss, local paranoid (guess they are all gone?), or QA. They would have to capture the user's credentials and post it to the login handler themselves. Even the user might realize that it is not the login page and assume it is a phishing site.
The secret code for the encryption of the cookies is only installed on the login servers, and without that package installed, there would be no way to generate a valid signed cookie.
In short, there is no 100% guarantee a rouge developer could not do any damage, but it would be pretty hard to go unnoticed.
I wrote a very cheesy Python script that runs through the file and counts the passwords and the amount of times they appear. Note that these may not even be correct.
Nope. Most of the originals have fled; the few who remain have been renamed something lame. (I forget the exact name but I'm sure it contains some or all of the Standard Yahoo Corporate Buzzwords, which are: Global, Platform, Initiative, Strategy, and Partnership.)
They renamed the paranoids? That's the most depressing yahoo news I've heard in a while. Makes it seem like they're trying to squeeze out any last hints of engineering culture :/
They did, and their influence will still be there. If this really did come from a Yahoo service it was likely some sort of co-branded partner. All core Yahoo apps authenticate against a central service with no hint of any sort of plain text credentials stored anywhere.
So I dealt with something that seemed very similar while I was at Yahoo as a Local Paranoid (security person for a product).
There was an enormously successful phishing attack that had rendered a crapton (more than 450k) users in a compromised state. Their passwords were basically stolen.
The solution was a several month long effort by multiple engineers to get the proper owner to change/reset their password. Remember, their accounts are basically hijacked at this point and they don't even know. It was one of the most involved and complex issues I've ever worked on.
Having gone through that I gained a lot of respect for Yahoo! and how they treat/handle these types of situations. Nowadays everything looks different so I don't know who's doing what.
But the more I read and think about this my guess is that all those users were phished.
I still see that Yahoo is hiring paranoids. There seems to be a team of paranoids at Yahoo still. Even if the login process of this particular subdomain was not monitored by paranoids, I doubt if yahoo uses separate login systems for each domain - and if there is a central code/library that handles logins, I seriously doubt if passwords are handled in plain texts and SQLs are not sanitized.
Looks like this is from a property of a recent acquisition (associated content, acquired in 2010). Most likely a dump of old tables before authentication was migrated to login.yahoo.com. Should've dropped these tables after the migration.
I personally have no sympathy for these "users", as they're professional content spammers :)
The TrustedSec blog post that ArsTechnica links to gave the link for the password dump, so if you want to check for a compromised account:
https://d33ds.co/archive/yahoo-disclosure.txt (WARNING: That file is ~17 MB.)
I think this may be from Yahoo indirectly, due to an acquisition. A number[1] of these passwords contain phrases like 'associatedcontent'[2], now Yahoo Voices after being purchased by Yahoo in 2010.
[1] 115 match associated.*content, 104 match yahoo, 25 gmail, 0 ycombinator. I think I saw a 4550c1473dc0n73n7 in there too. Then again, 135 match google. (all case-insensitive matches)
This would support the idea that they were phished rather than straight from the database. The phishing site may have just dumped all the submitted form values to a file, regardless of whether a password was entered or not.
I found my account (different name) there, but with the wrong password. I think I remember using the one they had a long while back, but couldn't remember from where. Might be that these passwords are scrapped from various other sites, or were held onto for some time.
I got an email from Yahoo yesterday saying I had sent a request to reset my password via secret question verification. The email was from yahoo, but maybe this is how they got the passwords. My account was still there at the time though.
If it wasn't in such credible news source I would have found the entire thing very hard to believe.