Rixstep
	`About \| ACP \| Buy \| Industry Watch \| Learning Curve \| News \| Products \| Search \| Substack`

Home » Learning Curve » Red Hat Diaries

Yahoo! SQL Injections! Don't Expose Passwords!

Somebody needs to pay for this.

Get It

Try It

SUNNYVALE (Radsoft) — By what appears to been via their recent acquisition of Associated Content (now called Yahoo Voices) Yahoo suffered the exposure of login information including passwords in clear text for 453,491 account holders.

The exposed information, published online in a massive 17 MB file, makes great reading, but there are other far more important concerns.

Great Reading!

Some hopefully interesting (or at least amusing) things about the password file.

The file seems to have been collated on a Windows machine. Hackers using Windows - did anyone predict the day?
There have been reports reaching this site that the passwords in question are at least one year old, others that they're up to six years old (and most likely changed in the interim).
Passwords appear to have at one time been limited to 12 characters and a bit later to 15 characters.
Most passwords are lowercase only.
Associated Content had 252 administrative accounts, many of which shared the same password. 24 of them had the password 'partner' and another dozen used 'welcome'.
700 accounts used the password 'abc' or a variation thereof.
The password 'fuck' (or a variation thereof) was used 597 times.
114 accounts used the password '000000' or a variation thereof.
219 accounts used the password '111111' or a variation thereof.
2607 accounts used the password '123456' or a variation thereof.
The password 'blowjob' (or a variation thereof) was used three times.
780 accounts used the password 'password' exactly and another 492 used a variation thereof.
437 accounts both inside and outside Associated Content used exactly the password 'welcome'.
19 accounts used 'cunt', 19 used 'pussycat', 884 used 'mom', 33 used 'bigdaddy', 11 used 'britney', 46 used 'love', and 88 used 'justin'.
There were 106,186 Gmail accounts and 1,120 Googlemail accounts for a grand total of 107,306.
There were 6,301 MSN accounts, 8,492 Comcast accounts, 56,651 Hotmail accounts, and 143,278 Yahoo accounts.
The password 'manning' was used four times. The password 'assange' was not used at all.
Someone from the domain us.army.mil used the password 'abc123', and 10,657 accounts had no password at all.
Shockingly there were only 25,531 AOL accounts.

Lessons Learned?

It's likely few people will have a 'take home' from the breach, even though the ridiculous passwords and the silly minds behind them should give one pause (and lulz). And there are links below on beefing up network security in general. And the InterWebs are ripe today with good tips how to make good passwords.

But that's not the point. What most people don't realise is the passwords should never have been in 'cleartext' in the first place. Not that websites shouldn't keep cleartext copies of passwords - websites shouldn't even know what the passwords are.

Those who are a bit more adept assume that corporations in this day and age know how to behave online - how to responsibly administer the property of others who trust them. But this is evidently a dangerous assumption with companies as irresponsible as Associated Content and Yahoo.

Password systems dating back half a century used salted encryption for passwords. The original cleartext passwords are not recoverable. They're not stored anywhere. Not ever.

Password cracking programs can work with the file of encrypted passwords, but given today's level of encryption, it takes a long time to brute force anything that's not in a dictionary attack. Yet precisely because this danger exists, Unix won't store password data out in the open anymore. The asterisks show where the encrypted passwords used to reside in /etc/passwd.

root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false

A typical login on any system anywhere today will take the submitted password, encrypt it in memory only with a salt according to a given algorithm, then compare with what's in storage. Cleartext passwords aren't compared - they're never known.

And so we have this lovely company known as 'Associated Content'. Nearly half a million people trusted them. Knowing how those password schemes work, it's likely a great number of those people used the same passwords at their own sites.

Whoever the amateurs at Associated Content are, they'll hopefully be required to answer some tough questions. And one can't rule out a class action taken against them, or even a complaint filed for criminal negligence.

But the Associated Content system - which should never have been allowed online - was acquired by Yahoo. And Yahoo's people should have given the site a proper going-over. In fact they would have had to, as it's property they were interested in buying.

The Yahoo people would have seen the inexcusable password system. The right thing to do would have been to refuse to put the site online in that condition. And instead do what the Formspring people did.

Urgent: Change Your Formspring Password

We learned this morning that we had a security breach where some user passwords may have been accessed. In response to this we have disabled all users' passwords. We apologise for the inconvenience but prefer to play it safe and have asked all members to reset their passwords.

This is a good time to create a strong password.

But Yahoo didn't do that. They didn't do the right thing. A lot of people may be compromised. This isn't something Yahoo and Associated Content can blame on somebody else.

SQL attacks happen all the time. But they don't expose passwords. Yahoo and Associated Content should be held accountable.