Forgot your password?
typodupeerror
Bug Security Yahoo! IT

Yahoo! Closes Security Hole That Led To Breach 43

Posted by samzenpus
from the stopping-the-leak dept.
An anonymous reader writes "Yahoo! has patched the security hole that allowed hackers to access some 450,000 email addresses and passwords associated with Yahoo! Contributor Network and ultimately publish them last week. In the meantime, the group responsible for the hack of the official forum site of technology company NVIDIA has also dumped some user 800 records taken during the breach."
This discussion has been archived. No new comments can be posted.

Yahoo! Closes Security Hole That Led To Breach

Comments Filter:
  • Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.
    • by hcs_$reboot (1536101) on Monday July 16, 2012 @11:57AM (#40663511)

      Anyone however believes in 100% security will always be a victim of a hack

      Pretty off topic in my opinion. Companies are not equal when it comes to security, far from it. Two major distinctions: the way the company was hacked (e.g. SQL injection), and how fast the company fixes the security concern(s). Sony for instance was a good (i.e. bad) example in both categories.

      • by Khyber (864651)

        "Pretty off topic in my opinion"

        No it's not off-topic. Man can make it, man can break it. That simple.

    • Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.

      Inexcusable!

      Any bank that would get robbed that has little to no security should be grilled the same way. Nothing is ever secure so its ok there was no alarm in the safe etc. This reminded me why I no longer use Yahoo anymore and why the company is dying. I used to somewhat feel sorry for them as Google was overated with a marketing swing but it shows poor leadership and management.

      An example is YahooChat which I used to use over a decade ago. Then porn spammers came in and bombed you every 3 minutes with c

    • A better way of putting it:

      Always store personal information knowing that if I or anyone else can recover it either alone by helping each other, someone unfriendly can get to it.

      There are ways of destroying my ability to access data that are 100% effective in making sure nobody else can get to it either, ever. They may, however, involve killing anyone who ever had access to the data and destroying their brains.

    • by Mashiki (184564)

      Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.

      Filthy lies.

      I dare you to get the information from this machine. It's locked in a steel cage, unplugged from the internet. Unpowered, been encased in 3ft of concrete, and dumped in the Mariana's Trench [wikipedia.org]. And the person who dumped it there has been put on a deserted island, buried up to his neck, and left to the animals.

      I'm pretty sure we've got the security though obscurity covered here. Though, those pesky animals might have some weird form of osmosis, and might know the location now...

  • by Nkwe (604125) on Monday July 16, 2012 @11:55AM (#40663477)
    So now that it's patched Yahoo users should change their passwords again. Presumably if your account was on "the list" and you changed your password after the first disclosure, your credentials could have been compromised again - prior to the security hole being closed.

    While this may sound obvious, I bet many folks don't realize the distinction between a disclosure announcement and correction of the problem. Many people probably assume that when a massive password disclosure is made, that the problem has already been fixed. In this case apparently not.
    • by arth1 (260657) on Monday July 16, 2012 @12:00PM (#40663541) Homepage Journal

      So now that it's patched Yahoo users should change their passwords again. Presumably if your account was on "the list" and you changed your password after the first disclosure, your credentials could have been compromised again - prior to the security hole being closed.

      While this may sound obvious, I bet many folks don't realize the distinction between a disclosure announcement and correction of the problem. Many people probably assume that when a massive password disclosure is made, that the problem has already been fixed. In this case apparently not.

      What seems obvious, but which some people obviously don't realise, is that the vulnerable services were taken offline until they were fixed.

      • by PNutts (199112)

        Which confuses me because Yahoo Mail was offline for me during this time. There was a maintenance notice and when my mail was available, my contacts weren't (for awhile). Does this mean it was more than what was disclosed?

        • by arth1 (260657)

          Which confuses me because Yahoo Mail was offline for me during this time. There was a maintenance notice and when my mail was available, my contacts weren't (for awhile). Does this mean it was more than what was disclosed?

          My guess is that they closed more than what was strictly necessary, while they verified just what had been affected. Which is good practice.

    • by Sir_Sri (199544)

      In this case the yahoo's official stance was that these were all username/pwd pairs from 2010 when yahoo acquired/merged/whatever with the service in question. So the users in question could even have changed their passwords in the intervening 2 years and still been relatively safe. That could be complete bullshit or completely wrong, I have no idea. I would think yahoo by 2010 would have known enough about security to not have a plaintext password, but you never know.

      But yes, the problem with 'change yo

  • The security flaw was the storage of the passwords rather than passwords hash.

    Did they fix that?

    • "The security flaw was the storage of the passwords rather than passwords hash."

      It was a security flaw. Ideally the passwords would be stored hashed (and salted) and their software would not have made them vulnerable to an SQL injection. I mean seriously, an SQL injection?! The software should be using a database abstraction layer or an ORM that takes care of normalizing SQL automatically. These days there's really no excuse for that one. ... but then, storing passwords as plain text too ... I had WAY highe

  • by slashmydots (2189826) on Monday July 16, 2012 @12:35PM (#40663823)
    I happened to have joined Associated Content just barely prior to may 2010 so I got one of Yahoo's e-mails on my road runner e-mail account, which is what I used to sign up for AC. It seemed to advise me to change my e-mail password ASAP. AC doesn't know my e-mail address password so I'm not sure I quite understand that one. I'll paste the entire thing below. Does anyone know what they actually stole?! Am I supposed to change my AC account password?

    You may have read in press reports that Yahoo! recently confirmed an older file containing approximately 450,000 email addresses and passwords—provided by writers who had joined Associated Content prior to May 2010—was publicly posted on the Internet. This file was a standalone file that was not used to grant access to Yahoo! systems and services. This message is being sent to an email address in this compromised file.

    We are taking important steps to address this issue and have now fixed the vulnerability that led to the disclosure of the data and enhanced our underlying security controls. As a non-Yahoo! account holder, we apologize that we cannot provide you a direct means to secure your account. We strongly recommend that you employ the security mechanisms recommended by your email service provider to secure your account.

    Additionally, given the high frequency of consumers using the same login information on services across the Internet, we strongly advise users to:

    Change their passwords for any account they hold every few months,
    Use a different password for each service or website, and
    Create passwords using a mixture of characters, symbols, and numbers.


    We also suggest that you proactively monitor the activity on any account you have created online. Specifically, be on the lookout for spam originating from your email, and check your sign-in activity from time to time. If you see anything suspicious—like your account was accessed in Romania when you were home in Chicago—you should change your password immediately.

    We take security very seriously at Yahoo! and invest heavily in protective measures to ensure the security of our users and their data across all our products. In addition, we will continue to take significant measures to protect our users and their data.

    We sincerely apologize for this matter. Yahoo! Inc.

  • The headline is on par with "Bear observed defecating in forest."

    If Yahoo had left the hole wide open, THAT would have been news.

    • by toonces33 (841696)

      "Bear observed defecating in forest."

      Dammit - that was my password. Now I have to change it again.

I've got a bad feeling about this.

Working...