

Hackers expose 453,000 credentials allegedly taken from Yahoo service - Cadsby
http://arstechnica.com/security/2012/07/yahoo-service-hacked/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29

======
prayag
Despite of the state Yahoo! is in I find it very hard to believe that a
company like Yahoo! would store it's passwords in plain-text. In addition,
doesn't yahoo voice uses the Yahoo single sign on, that would mean that there
is a very good chance that the central authentication server and not yahoo
voice is authenticating the user and the password doesn't even touch yahoo
voice. Of course, there is a possibility that Yahoo uses a simple API based
authentication for own apps and the architect took the easy way out and just
stored the plain-text password.

If it wasn't in such credible news source I would have found the entire thing
very hard to believe.

~~~
jmathai
Ex-Yahoo here. Anything on the yahoo.com domain uses the single sign on
service. Yahoo doesn't distribute login cookies for the yahoo.com domain any
other way.

That being said, the passwords are NOT stored in plain text. And individual
properties don't get direct access to the user database. It's done through
libraries and protocols with extremely restrictive ACLs. And one of the
options isn't: "give me this user's password in plaintext".

Even if a Yahoo! property wanted to store user passwords, they couldn't. Every
Yahoo! user logs in from login.yahoo.com.

Having a good understanding of how Yahoo!'s security is set up, I don't see
how any of this is possible.

EDIT: It's starting to look (to me) as if those users got phished.

~~~
s_henry_paulson
Successfully phishing half a million people without anyone noticing?

~~~
jmathai
Yes, you'd be surprised how sophisticated these folks are. Yahoo! has so many
layers of security in place in their infrastructure that to have any large
scale attack I'd imagine you have to have some sort of insider info.

------
mathrawka
I used to work on the login system for Yahoo! and find this to be not 100%
true. Passwords were never stored in plaintext, even the log files went
through a library that would mask any passwords or sensitive information if it
was sent over HTTPS in plaintext.

I would still trust Yahoo! to not leak my password ala LinkedIn.

~~~
damncabbage
I'm ex-Y! as well, but do you any basis for "I find this to be not 100% true"?

Is there any possibility of someone someone caching the details for
convenience's sake on login, and said service not going through the Paranoid
review process? I haven't done this personally, but I have had to work with
some absolutely dreadful internal APIs that I needed to cache information from
out-of-band to make them usable.

(In all fairness, though, I'm find it hard to believe this report. I'll guess
we'll find out the truth pretty soon.)

~~~
mathrawka
I suppose a rouge developer can show their own login dialog box, but that is
such a hack and should be pointed out by their boss, local paranoid (guess
they are all gone?), or QA. They would have to capture the user's credentials
and post it to the login handler themselves. Even the user might realize that
it is not the login page and assume it is a phishing site.

The secret code for the encryption of the cookies is only installed on the
login servers, and without that package installed, there would be no way to
generate a valid signed cookie.

In short, there is no 100% guarantee a rouge developer could not do any
damage, but it would be pretty hard to go unnoticed.

~~~
jmathai
Ex-Yahoo and former local paranoid. I agree with you. That's so unlikely that
I'd be willing to put money that it wasn't a rogue developer.

~~~
damncabbage
How does an Acquired Company fit in with all of this?

(An entire acquired company full of rogue developers? :-) )

------
Mithrandir
The server hosting it is a bit slow now, so here's the file compressed with
bzip2: <http://www.mediafire.com/download.php?769gk65ix183vbd>

~~~
nivla
Thanks for the mirror!

------
Mithrandir
I wrote a very cheesy Python script that runs through the file and counts the
passwords and the amount of times they appear. Note that these may not even be
correct.

This is what I got for the top 10:

    
    
        len(passlist): 342,514 # Amount of unique passwords.
    
        Password, Repetition
    
        '', 10,654 (Apparently, some passwords were blank.)
    
        '123456', 1667
    
        'password', 780
    
        'ninja', 333
    
        'abc123', 250
    
        '123456789', 222
    
        '12345678', 208
    
        'sunshine', 205
    
        'princess', 202
    

Edit: Source code at <https://gist.github.com/3096511>

~~~
__alexs
cut -d: -f2- | sort | uniq -c | sort -k2 -n

~~~
ralph
What's the input to that? Is it lines like

    
    
        133438:remia.eu@hotmail.com:combinate

~~~
__alexs
I hadn't seen the original data. Should probably be cut -d: -f3- then.

~~~
ralph
Isn't the sort a bit odd too? To sort by uniq's frequency it's more like

    
    
        sort -k1n,1 -k2

~~~
ralph
Unsure why the downvote since the original is wrong. To be clear,

    
    
        cut -d: -f3- | sort | uniq -c | sort -k2 -n
    

would be sorting the output of uniq(1) by the password, treating them all as
numeric. Depending on one's locale that gives results like

    
    
          1 00auditt
        100 babygirl
          1 00beetle
    

or

    
    
          1 100671105192
          1 100997162005jm
          2 102030405060
          1 102990091404

------
asciident
Doesn't Yahoo have an entire team called "The Paranoids" to deal with
security? Were they not involved in setting up this service?

~~~
kentbrew
Nope. Most of the originals have fled; the few who remain have been renamed
something lame. (I forget the exact name but I'm sure it contains some or all
of the Standard Yahoo Corporate Buzzwords, which are: Global, Platform,
Initiative, Strategy, and Partnership.)

~~~
simonw
They renamed the paranoids? That's the most depressing yahoo news I've heard
in a while. Makes it seem like they're trying to squeeze out any last hints of
engineering culture :/

------
disclosure
Searchable list available for users at <http://dazzlepod.com/yahoo/>

------
jmathai
So I dealt with something that seemed very similar while I was at Yahoo as a
Local Paranoid (security person for a product).

There was an enormously successful phishing attack that had rendered a crapton
(more than 450k) users in a compromised state. Their passwords were basically
stolen.

The solution was a several month long effort by multiple engineers to get the
proper owner to change/reset their password. Remember, their accounts are
basically hijacked at this point and they don't even know. It was one of the
most involved and complex issues I've ever worked on.

Having gone through that I gained a lot of respect for Yahoo! and how they
treat/handle these types of situations. Nowadays everything looks different so
I don't know who's doing what.

But the more I read and think about this my guess is that all those users were
phished.

------
geekin
I still see that Yahoo is hiring paranoids. There seems to be a team of
paranoids at Yahoo still. Even if the login process of this particular
subdomain was not monitored by paranoids, I doubt if yahoo uses separate login
systems for each domain - and if there is a central code/library that handles
logins, I seriously doubt if passwords are handled in plain texts and SQLs are
not sanitized.

------
kintamanimatt
Perhaps the best password I've found in this list is \0/

In the original SQL dump it also seems that some accounts don't have a
password. I'm not sure how this is possible. For example:

    
    
        334860:cashcratereferer@live.com:
    

vs. a normal entry

    
    
        334868:ktomlinson7@yahoo.com:password

~~~
DangerousPie
This would support the idea that they were phished rather than straight from
the database. The phishing site may have just dumped all the submitted form
values to a file, regardless of whether a password was entered or not.

------
vicaya
Looks like this is from a property of a recent acquisition (associated
content, acquired in 2010). Most likely a dump of old tables before
authentication was migrated to login.yahoo.com. Should've dropped these tables
after the migration.

I personally have no sympathy for these "users", as they're professional
content spammers :)

------
therealarmen
I have an old Yahoo! Voice account and could not find my credentials in the
txt dump. Anyone with an account find theirs?

~~~
joering2
I ran it against my contact lists in both yahoo and gmail (accounts I have
over 6 years now) and could not match anyone.

Further, this list have Gmail and AOL and other providers on it... I dont get
it how they got there. Any clues?

------
MindTwister
Most people here seem to agreed that it is very unlikely that this comes from
Yahoo.

With the amount of compromised sites lately. Isn't it more likely that the
credentials from other sites have simply been matched with yahoo services?

"Oh look at all these Linkedin passwords, I wonder which ones works on yahoo
as well"

~~~
AlliedEnvy
I think this may be from Yahoo indirectly, due to an acquisition. A number[1]
of these passwords contain phrases like 'associatedcontent'[2], now Yahoo
Voices after being purchased by Yahoo in 2010.

[1] 115 match associated.*content, 104 match yahoo, 25 gmail, 0 ycombinator. I
think I saw a 4550c1473dc0n73n7 in there too. Then again, 135 match google.
(all case-insensitive matches)

[2] <http://en.wikipedia.org/wiki/Associated_Content>

------
Wingman4l7
The TrustedSec blog post that ArsTechnica links to gave the link for the
password dump, so if you want to check for a compromised account:
<https://d33ds.co/archive/yahoo-disclosure.txt> (WARNING: That file is ~17
MB.)

~~~
nivla
It seems to be down. Anyone has a mirror of the file?

------
technolem
I found my account (different name) there, but with the wrong password. I
think I remember using the one they had a long while back, but couldn't
remember from where. Might be that these passwords are scrapped from various
other sites, or were held onto for some time.

------
leke
I got an email from Yahoo yesterday saying I had sent a request to reset my
password via secret question verification. The email was from yahoo, but maybe
this is how they got the passwords. My account was still there at the time
though.

~~~
jmathai
Yes, it's entirely possible that these were phished.

------
bertrandom
I built this website to help you easily check if your credentials have been
compromised: <http://voices.thatsaspicymeatball.com/>

------
ralph
Is it mere coincidence that password `123456' is the most frequent with
exactly 1667 occurrences?

~~~
smcl
I don't get it, is there a connection between the numbers 123456 and 1667 I'm
missing?

~~~
drewjoh
Perhaps they were thinking of 1337?

------
exim
Please stop calling those persons Hackers... They are just parasites.

