Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Privacy Yahoo! IT

Nearly Half a Million Yahoo Passwords Leaked [Updated] 233

Posted by timothy from the drop-in-the-bucket dept.
An anonymous reader writes "Some 450,000 email addresses and associated unencrypted passwords have been dumped online by the hacking collective 'D33Ds Company' following the compromise of a Yahoo subdomain. The attackers said that they managed to access the subdomain by leveraging a union-based SQL injection attack, which made the site return more information that it should have. According to Ars Technica, the dump also includes over 2,700 database table or column names and 298 MySQL variables retrieved during the attack." Update: 07/12 20:03 GMT by T :Reader techfun89 adds this update: "Yahoo has confirmed that the usernames and passwords of more than 400,000 accounts were stolen from their servers earlier this week and that data was briefly posted online. The information has since been removed but it wasn't just credentials for Yahoo, but also Gmail, AOL, Comcast, Hotmail, MSN, SBC Global, BellSouth, Verizon and Live.com as well."
This discussion has been archived. No new comments can be posted.

Nearly Half a Million Yahoo Passwords Leaked [Updated] More

Nearly Half a Million Yahoo Passwords Leaked [Updated]

Comments Filter:

  • Ah, injection attacks.. (Score:5, Interesting)

    by Rei ( 128717 ) on Thursday July 12, 2012 @08:52AM (#40627017) Homepage

    when will people ever learn? And not just SQL injection attacks. I had to actually write a destructive exploit for a popen injection attack on a MMORPG before the rest of the dev team would believe me that it was a serious vulnerability (it had code that if you said a URL, people could click on it... except they were just passing what the user wrote to popen, tacked to the end of your browser-launch string). People just never seem to wrap your head around the fact that you never use raw user input for anything that a parser will look at, at any point in time!

    Here's probably the funniest discussion thread on injection attacks [thedailywtf.com], ever.

  • File (Score:5, Interesting)

    by Anonymous Coward on Thursday July 12, 2012 @08:52AM (#40627019)

    Does anyone have a link to the leak? You know, I want to check if my password was leaked.

  • common security pratics ? (Score:5, Interesting)

    by Rachael ( 244242 ) on Thursday July 12, 2012 @08:55AM (#40627049)

    Seems to be common pratics that sites store plaintext password this days, one would think the programmers knew better, is it in an attempt to try and speed optimize things, they leave out hashing ?
    Or is there a more sinister reason, someone twisting their arm around.

  • Re:Ah, injection attacks.. (Score:5, Interesting)

    by Simon Brooke ( 45012 ) <stillyet@googlemail.com> on Thursday July 12, 2012 @08:57AM (#40627067) Homepage Journal

    Here's probably the funniest discussion thread on injection attacks [thedailywtf.com], ever.

    That is indeed funny, in a most terrifying way!

  • Re:common security pratics ? (Score:4, Interesting)

    by Kyrene ( 624175 ) * on Thursday July 12, 2012 @08:57AM (#40627069)
    Once worked in a place where the "architect" swore up and down that his "philosophy" was that if people were to hack into the database, they wouldn't then get the keys to the account, they'd go for other details like credit cards and what-not, so there was no reason for encryption. Very glad I'm not working there anymore because arguing with him was useless. Once his mind was made up, that was that.

  • That explains things (Score:5, Interesting)

    by halcyon1234 ( 834388 ) <halcyon1234@hotmail.com> on Thursday July 12, 2012 @09:00AM (#40627089) Journal
    That explains why, about a month ago, I got a whole rash of "omg funy click here" spam mails for friends with yahoo email addresses (and only yahoo email addresses). I wonder how recent this password dump is. I might have to recommend another round of reset-to-something-complex. My first recommendation was STOP USING YAHOO FFS!, but no one does that =(

  • Re:lastpass (Score:5, Interesting)

    by Runaway1956 ( 1322357 ) on Thursday July 12, 2012 @09:42AM (#40627447) Homepage Journal

    You're probably right. What's scary is - the government isn't a whole lot better at this stuff. I seem to recall a recent transatlantic telephone conference, involving multiple "intelligence" and/or "enforcement" agencies that was recorded by the very people being discussed.

    Yeah, I really want some alphabet soup dude from Washington looking out for my internet security.

  • Woosh (Score:1, Interesting)

    by michelcolman ( 1208008 ) on Thursday July 12, 2012 @10:59AM (#40628087)

    He was just making a joke about the phrase "Users shouldn't have week passwords".

    But you are right, of course. Frequent password changes are not good for security.

  • I imported them into Excel... (Score:4, Interesting)

    by Gordo_1 ( 256312 ) on Thursday July 12, 2012 @12:04PM (#40628785)

    For your viewing pleasure, here are the top 20 passwords by number of occurrences in the Yahoo hacked set. Enjoy!

    Password Count
    123456 1673
    password 804
    welcome 439
    ninja 333
    abc123 255
    123456789 226
    princess 216
    sunshine 213
    12345678 208
    qwerty 177
    michael 167
    writer 166
    monkey 165
    freedom 164
    password1 162
    111111 160
    iloveyou 142
    tigger 136
    baseball 136
    shadow 134

Slashdot Top Deals

A morsel of genuine history is a thing so rare as to be always valuable. -- Thomas Jefferson

Close