Earlier this week, Yahoo confirmed that hackers succeeded in breaking into an old file from their Yahoo! Contributor Network and compromised some 450,000 user names and passwords. The details of the situation show that what happened is both less – and more – alarming than it appears at first glance.
First, the good news: this really was an old file. Yahoo noted that, of the usernames and passwords the attackers got, less than five percent of the Yahoo accounts had valid passwords. They specify “Yahoo” accounts in this case because some users logged into their Yahoo! Contributor Network – now renamed Yahoo Voices – account using Facebook or Google accounts. The online platform lets users share video, audio, and slide shows; users that get a certain amount of traffic to their content can actually get paid for it.
There's more good news: Yahoo is doing the responsible thing. They confirmed the breach as soon as they heard about it, and made a statement. “We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users, and notifying the companies whose users accounts may have been compromised,” said Yahoo spokesman Jon White. “We apologize to all affected users.”
The bad news concerns how it happened, and why the attackers had a much easier time of it than they should have had. A group calling themselves the DD3Ds Company used a “union-based SQK Injection” attack on the site, and leaked the passwords. In their leak note, they said that they “hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.”
Why did they think Yahoo needed a wake-up call? Because Yahoo's lapse in security on this file was so basic that the first person to spot the leak thought it was faked. After Yahoo had purchased Associated Content in 2010 and folded it into the Yahoo! Contributor Network (which later became Yahoo Voices), it stored the passwords for its users in plain text – WITHOUT ENCRYPTION.
Rob Rachwald, director of security at Imperva, wrote a blog post that covers all the details. “Sadly, this breach highlights how enterprises continue to neglect basic security practices. According to the hackers, the breach was enabled by union based SQL injection vulnerability in the application, which is a well-known attack. To add insult to injury, the passwords were stored in clear text and not hashed (encoded). One would think the recent LinkedIn breach would have encouraged change, but no.”
To be fair, Yahoo is a large, sprawling company, and in the usual disorganization that follows an acquisition, it's far too easy to see how something like this could have been overlooked. Who can track all of the third-party applications that come on board as part of a new purchase? This latest security breach highlights what can happen in such cases, however. This kind of predictable chaos increases the importance of following best practices for security at every turn.
Have the recent news stories of security breaches at large enterprises made you more vigilant at your own company? Share you best practices in the comments.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More Web Hosting Security Articles
More By Terri Wells