Yahoo!'s No Encryption Trumps LinkedIn's Unsalted Hash

Thursday, July 12, 2012



Reports have surfaced that nearly half a million Yahoo! Voices accounts have been compromised by a hacker group called "D33Ds Company", and the usernames and passwords have been posted in plain text.

Just a month after the business-oriented social network LinkedIn experienced a significant security breach and caught endless flack for not "salting their hash", the revelation that the Yahoo! credentials were not even stored in an encrypted format is inexcusable.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage," the attackers noted along with the data dump.

Thus far, the LinkedIn exposure of 6.4 million encrypted passwords is of several magnitudes greater than the Yahoo! breach, the fact that they were in a simple encrypted form allowed most users to avoid compromise of their accounts because the credentials needed to be cracked prior to unauthorized access.

Users who had their Yahoo! Voices exposed are not so fortunate.

"The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public." reports TrustedSec.

Also of concern is the fact that the attackers apparently exploited a common vulnerability to breach the platform and harvest the data.

"The method for the compromise was apparently a SQL Injection attack to extract the sensitive information from the database," TrustedSec reported.

SQL Injections are an effective attack levied against poorly coded user interface applications that fail to screen inputted text to prevent database execution commands from being entered.

Yahoo! is reportedly investigating the breach, and users are advised to update their login credentials immediately.

"Since all the accounts are in plain-text, anyone with an account present in the leak which also has the same password on other sites (e-mail, Facebook, Twitter, etc), should assume that someone has accessed their account," advise ESET's Anders Nilsson.

Nilsson's analysis of the data dump revealed that, as can be expected these days, a significant number of the passwords were alarmingly simple, with more than sixteen-hundred using "123456" and over seven-hundred using "password".

The use of simple to guess passwords is purely the fault of the users who may suffer a compromise stemming from their own lack of awareness, but the storing of authentication credentials in plain text format by a company the size of Yahoo! should have everyone concerned about how seriously companies are taking the security of their users.

Possibly Related Articles:
SQl Injection Encryption Passwords Yahoo Headlines hackers breach Data Dump Hashing
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.