Web Hosting Security

  Home arrow Web Hosting Security arrow Yahoo Security Breach Highlights Poor ...
Web Hosting Articles  
Web Hosting FAQs  
Web Hosting How-Tos  
Web Hosting News  
Web Hosting Reviews  
Web Hosting Security  
Weekly Newsletter 
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Contact Us 
Site Map 
Privacy Policy 
  >>> SIGN UP!  
  Lost Password? 

Yahoo Security Breach Highlights Poor Practices
By: Terri Wells
  • Search For More Articles!
  • Disclaimer
  • Author Terms
  • Rating: 5 stars5 stars5 stars5 stars5 stars / 5

    Table of Contents:

    Rate this Article: Poor Best 
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article



    Earlier this week, Yahoo confirmed that hackers succeeded in breaking into an old file from their Yahoo! Contributor Network and compromised some 450,000 user names and passwords. The details of the situation show that what happened is both less – and more – alarming than it appears at first glance.

    First, the good news: this really was an old file. Yahoo noted that, of the usernames and passwords the attackers got, less than five percent of the Yahoo accounts had valid passwords. They specify “Yahoo” accounts in this case because some users logged into their Yahoo! Contributor Network – now renamed Yahoo Voices – account using Facebook or Google accounts. The online platform lets users share video, audio, and slide shows; users that get a certain amount of traffic to their content can actually get paid for it.

    There's more good news: Yahoo is doing the responsible thing. They confirmed the breach as soon as they heard about it, and made a statement. “We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users, and notifying the companies whose users accounts may have been compromised,” said Yahoo spokesman Jon White. “We apologize to all affected users.”

    The bad news concerns how it happened, and why the attackers had a much easier time of it than they should have had. A group calling themselves the DD3Ds Company used a “union-based SQK Injection” attack on the site, and leaked the passwords. In their leak note, they said that they “hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.”

    Why did they think Yahoo needed a wake-up call? Because Yahoo's lapse in security on this file was so basic that the first person to spot the leak thought it was faked. After Yahoo had purchased Associated Content in 2010 and folded it into the Yahoo! Contributor Network (which later became Yahoo Voices), it stored the passwords for its users in plain text – WITHOUT ENCRYPTION.

    Rob Rachwald, director of security at Imperva, wrote a blog post that covers all the details. “Sadly, this breach highlights how enterprises continue to neglect basic security practices. According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application, which is a well-known attack. To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no.”

    To be fair, Yahoo is a large, sprawling company, and in the usual disorganization that follows an acquisition, it's far too easy to see how something like this could have been overlooked. Who can track all of the third-party applications that come on board as part of a new purchase? This latest security breach highlights what can happen in such cases, however. This kind of predictable chaos increases the importance of following best practices for security at every turn.

    Have the recent news stories of security breaches at large enterprises made you more vigilant at your own company? Share you best practices in the comments.

    DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

    More Web Hosting Security Articles
    More By Terri Wells


    - For Online Security, Invest in People
    - World`s Third-Largest Botnet Bites the Dust
    - Yahoo Security Breach Highlights Poor Practi...
    - How to Prevent Mobile Malware
    - FBI Issues Internet Security for Travelers a...
    - More of the Top Internet Scams
    - How to Stop Phishing Scams
    - Social Networking Safety Tips
    - How to Avoid Financial Fraud Online
    - Android`s Most Notorious Trojans and Viruses
    - GFI Report Details Top 10 Threat Detections ...
    - Sophos Releases Security Threat Report 2012
    - Facebook Safety Tips for 2012
    - Email Scam Hits Apple Users
    - Tips for Mobile Security

    Developer Shed Affiliates


    © 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap