Forgot your password?
typodupeerror
Bug Security Yahoo! IT

Yahoo! Closes Security Hole That Led To Breach 43

Posted by samzenpus
from the stopping-the-leak dept.
An anonymous reader writes "Yahoo! has patched the security hole that allowed hackers to access some 450,000 email addresses and passwords associated with Yahoo! Contributor Network and ultimately publish them last week. In the meantime, the group responsible for the hack of the official forum site of technology company NVIDIA has also dumped some user 800 records taken during the breach."
This discussion has been archived. No new comments can be posted.

Yahoo! Closes Security Hole That Led To Breach

Comments Filter:
  • by ManOnline (2685497) on Monday July 16, 2012 @11:48AM (#40663405) Homepage
    Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.
    • by hcs_$reboot (1536101) on Monday July 16, 2012 @11:57AM (#40663511)

      Anyone however believes in 100% security will always be a victim of a hack

      Pretty off topic in my opinion. Companies are not equal when it comes to security, far from it. Two major distinctions: the way the company was hacked (e.g. SQL injection), and how fast the company fixes the security concern(s). Sony for instance was a good (i.e. bad) example in both categories.

    • by Billly Gates (198444) on Monday July 16, 2012 @12:41PM (#40663891) Journal

      Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.

      Inexcusable!

      Any bank that would get robbed that has little to no security should be grilled the same way. Nothing is ever secure so its ok there was no alarm in the safe etc. This reminded me why I no longer use Yahoo anymore and why the company is dying. I used to somewhat feel sorry for them as Google was overated with a marketing swing but it shows poor leadership and management.

      An example is YahooChat which I used to use over a decade ago. Then porn spammers came in and bombed you every 3 minutes with check out my titties and this scared every human away to the point where only porn spam bots were in there. There are teen and kid chat rooms where this happened too! People should be in jail for this as this is now pedophilia. Did Yahoo even care? No. for the hell of it 3 years ago I came back to Yahoo chat and the problem was still not fixed and even worse where I would be spammed every 30 seconds. No human is left anymore.

      Now comes YahooIM which I still use, but not with a Yahoo client. I get these strange names each time I log in from Digsby by of course my Yahoo account requesting to be my friend. Same porn spammers. I just do not add anyone unless I they have emailed me and let me know ahead of time because every few hours a spammer will come on. Did Yahoo fix it? No.

      Evern wonder why Skype is so popular as an IM? Now you know why.

      Yahoo lost to Google and Bing. DId Yahoo fix it? No.

      If you use Firefox and have YahooMail opened in one tab and browse porn in the other tab your yahoo email will randomly start sending out spam to people. Hairyfeet noticed that too. Did Yahoo fix it? no. ... I wont waste any more slashdotters time other to say stop giving them excuses for their incompetent management and employees. They are incompetent and any company worth as much as Yahoo should have a dedicated security team. There are more issues I wont discuss but only old people whose default homepage has not been changed still use it. The company is dying right now deservingly so and it will probably be gone in a couple years. Nobody seems to care or take their product seriously. It is no surprise they only got off their ass when it hit the news. Yahoo is terrible

    • by davidwr (791652) on Monday July 16, 2012 @01:11PM (#40664219) Homepage Journal

      A better way of putting it:

      Always store personal information knowing that if I or anyone else can recover it either alone by helping each other, someone unfriendly can get to it.

      There are ways of destroying my ability to access data that are 100% effective in making sure nobody else can get to it either, ever. They may, however, involve killing anyone who ever had access to the data and destroying their brains.

    • Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.

      Filthy lies.

      I dare you to get the information from this machine. It's locked in a steel cage, unplugged from the internet. Unpowered, been encased in 3ft of concrete, and dumped in the Mariana's Trench [wikipedia.org]. And the person who dumped it there has been put on a deserted island, buried up to his neck, and left to the animals.

      I'm pretty sure we've got the security though obscurity covered here. Though, those pesky animals might have some weird form of osmosis, and might know the location now...

  • by Anonymous Coward on Monday July 16, 2012 @11:49AM (#40663411)

    it's gonna suck when google gets breached and all our kinky fetishes will be on the internet forever!

  • by Anonymous Coward on Monday July 16, 2012 @11:53AM (#40663459)
    I like the way people still pretend Yahoo is at all relevant...
  • by Nkwe (604125) on Monday July 16, 2012 @11:55AM (#40663477)
    So now that it's patched Yahoo users should change their passwords again. Presumably if your account was on "the list" and you changed your password after the first disclosure, your credentials could have been compromised again - prior to the security hole being closed.

    While this may sound obvious, I bet many folks don't realize the distinction between a disclosure announcement and correction of the problem. Many people probably assume that when a massive password disclosure is made, that the problem has already been fixed. In this case apparently not.
    • by arth1 (260657) on Monday July 16, 2012 @12:00PM (#40663541) Homepage Journal

      So now that it's patched Yahoo users should change their passwords again. Presumably if your account was on "the list" and you changed your password after the first disclosure, your credentials could have been compromised again - prior to the security hole being closed.

      While this may sound obvious, I bet many folks don't realize the distinction between a disclosure announcement and correction of the problem. Many people probably assume that when a massive password disclosure is made, that the problem has already been fixed. In this case apparently not.

      What seems obvious, but which some people obviously don't realise, is that the vulnerable services were taken offline until they were fixed.

    • by Anonymous Coward on Monday July 16, 2012 @12:16PM (#40663661)

      Just as importantly users should be changing their passwords on their other online services. And as they go through the process of remembering which services they reused this password on and changing them, please remember that this is why we asked you to use a unique password in the first place!

      Please don't come up with one new one for all of your services again!

      • by jones_supa (887896) on Monday July 16, 2012 @12:39PM (#40663871)
        There should be some de facto standard "how to choose a good password" guide, hosted by EFF or some other reputable organization. Then we would recommend web services to have a link to this guide during password creation process.
        • by Anonymous Coward on Monday July 16, 2012 @12:45PM (#40663947)

          battery staple horse correct

        • by arth1 (260657) on Monday July 16, 2012 @12:52PM (#40664027) Homepage Journal

          There should be some de facto standard "how to choose a good password" guide, hosted by EFF or some other reputable organization. Then we would recommend web services to have a link to this guide during password creation process.

          Like this, you mean? [us-cert.gov]

          The problem with authoritative guides for this is that if most people follow the guide without thinking, the job becomes easier for the crackers. They can then use partial rainbow tables that exclude everything that the guide tells people not to do, and include what they tell them to do. Passwords work best when they are as varied as possible.

          • by davidwr (791652) on Monday July 16, 2012 @01:21PM (#40664323) Homepage Journal

            Well, yes and no.

            It's still not a good idea to use very short passwords "just because the bad guys won't check for them because the security guide tells you not to use them."

            It's very quick for a bad guy to check all possible 4-character symbols that appear on a US keyboard, so there's not much point in him NOT checking them all, even in a world where the odds of someone using that password are the proverbial "1 in a million".

            Now, as that great philosopher Randall Munroe pointed out [xkcd.com], a complicated-looking password may in fact be weaker than a simple-looking password. Of course, the passwords Tr0ub4dor&3 and correct horse battery staple and their simple variations are now over-represented in real-world use and would make great "first guesses" by bad guys.

            Hmm, I think just to be safe my next password will be a combination of at least 2 words, at least 2 "mucked-up words," and spaces between words possibly replaced by other things or eliminated altogether. I better post it to my public Facebook page so I don't forget.

    • by Sir_Sri (199544) on Monday July 16, 2012 @01:54PM (#40664729)

      In this case the yahoo's official stance was that these were all username/pwd pairs from 2010 when yahoo acquired/merged/whatever with the service in question. So the users in question could even have changed their passwords in the intervening 2 years and still been relatively safe. That could be complete bullshit or completely wrong, I have no idea. I would think yahoo by 2010 would have known enough about security to not have a plaintext password, but you never know.

      But yes, the problem with 'change your password' advice is that you need to know the problem has been fixed before thinking a new password actually accomplishes anything other than handing hackers another password.

  • by Anonymous Coward on Monday July 16, 2012 @11:55AM (#40663479)

    What these Yahoo posts have failed to mention is that 450,000, is all of Yahoo's user base. Come on guys, start giving us accurate info!

  • by Anonymous Coward on Monday July 16, 2012 @12:01PM (#40663553)

    Thank you for being a dog
    Walkin' down the road and back again
    Your heart is true your a pal and a wag-er-naut

  • The security flaw was the storage of the passwords rather than passwords hash.

    Did they fix that?

    • "The security flaw was the storage of the passwords rather than passwords hash."

      It was a security flaw. Ideally the passwords would be stored hashed (and salted) and their software would not have made them vulnerable to an SQL injection. I mean seriously, an SQL injection?! The software should be using a database abstraction layer or an ORM that takes care of normalizing SQL automatically. These days there's really no excuse for that one. ... but then, storing passwords as plain text too ... I had WAY higher expectations of Yahoo for some reason. Silly me.

  • by Anonymous Coward on Monday July 16, 2012 @12:20PM (#40663685)

    yep.. it's true.

  • by Anonymous Coward on Monday July 16, 2012 @12:30PM (#40663767)

    How could they not use SSL by default for their Android email client? They should be publicly flogged for that.

  • by slashmydots (2189826) on Monday July 16, 2012 @12:35PM (#40663823)
    I happened to have joined Associated Content just barely prior to may 2010 so I got one of Yahoo's e-mails on my road runner e-mail account, which is what I used to sign up for AC. It seemed to advise me to change my e-mail password ASAP. AC doesn't know my e-mail address password so I'm not sure I quite understand that one. I'll paste the entire thing below. Does anyone know what they actually stole?! Am I supposed to change my AC account password?

    You may have read in press reports that Yahoo! recently confirmed an older file containing approximately 450,000 email addresses and passwords—provided by writers who had joined Associated Content prior to May 2010—was publicly posted on the Internet. This file was a standalone file that was not used to grant access to Yahoo! systems and services. This message is being sent to an email address in this compromised file.

    We are taking important steps to address this issue and have now fixed the vulnerability that led to the disclosure of the data and enhanced our underlying security controls. As a non-Yahoo! account holder, we apologize that we cannot provide you a direct means to secure your account. We strongly recommend that you employ the security mechanisms recommended by your email service provider to secure your account.

    Additionally, given the high frequency of consumers using the same login information on services across the Internet, we strongly advise users to:

    Change their passwords for any account they hold every few months,
    Use a different password for each service or website, and
    Create passwords using a mixture of characters, symbols, and numbers.


    We also suggest that you proactively monitor the activity on any account you have created online. Specifically, be on the lookout for spam originating from your email, and check your sign-in activity from time to time. If you see anything suspicious—like your account was accessed in Romania when you were home in Chicago—you should change your password immediately.

    We take security very seriously at Yahoo! and invest heavily in protective measures to ensure the security of our users and their data across all our products. In addition, we will continue to take significant measures to protect our users and their data.

    We sincerely apologize for this matter. Yahoo! Inc.

    • by Anonymous Coward on Tuesday July 17, 2012 @01:33AM (#40669789)

      I got the same. The main jist is, you signed up on AC using this email address and whatever password. Chances are you used the same combination on other sites. I sure did. I had to go to 20+ and change either the email or the password. I haven't reused passwords for years, but back then I was less careful, and someone could have easily tried my combination on some large sites and gotten access.

  • by Anonymous Coward on Monday July 16, 2012 @01:04PM (#40664131)

    I'm getting lots of spam from friends with mostly Yahoo accounts that obviously have access to the sender's address books. In the case of at least one Yahoo user I know it's not from a POP3 user but rather a web-mail user.

    Has there been a breach of Yahoo accounts and passwords that hasn't been made public about?

    Or is this just a case of a coincidence in which a few people who happen to know me getting compromised at their end or through an evil or compromised web site that asks for Yahoo credentials to log in?

  • by Sqr(twg) (2126054) on Monday July 16, 2012 @02:16PM (#40665001)

    The headline is on par with "Bear observed defecating in forest."

    If Yahoo had left the hole wide open, THAT would have been news.

Behind every great computer sits a skinny little geek.

Working...