Yahoo! Closes Security Hole That Led To Breach

An anonymous reader writes "Yahoo! has patched the security hole that allowed hackers to access some 450,000 email addresses and passwords associated with Yahoo! Contributor Network and ultimately publish them last week. In the meantime, the group responsible for the hack of the official forum site of technology company NVIDIA has also dumped some user 800 records taken during the breach."

Nothing is every secure

[ManOnline]

Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.

Re:Nothing is every secure

[hcs_$reboot]

Anyone however believes in 100% security will always be a victim of a hack

Pretty off topic in my opinion. Companies are not equal when it comes to security, far from it. Two major distinctions: the way the company was hacked (e.g. SQL injection), and how fast the company fixes the security concern(s). Sony for instance was a good (i.e. bad) example in both categories.

Re:

[Khyber]

"Pretty off topic in my opinion"

No it's not off-topic. Man can make it, man can break it. That simple.

Re:

[Billly Gates]

Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.

Inexcusable!

Any bank that would get robbed that has little to no security should be grilled the same way. Nothing is ever secure so its ok there was no alarm in the safe etc. This reminded me why I no longer use Yahoo anymore and why the company is dying. I used to somewhat feel sorry for them as Google was overated with a marketing swing but it shows poor leadership and management.

An example is YahooChat which I used to use over a decade ago. Then porn spammers came in and bombed you every 3 minutes with c

OR: If I can see it, hostiles can too

[davidwr]

A better way of putting it:

Always store personal information knowing that if I or anyone else can recover it either alone by helping each other, someone unfriendly can get to it.

There are ways of destroying my ability to access data that are 100% effective in making sure nobody else can get to it either, ever. They may, however, involve killing anyone who ever had access to the data and destroying their brains.

Re:

[Mashiki]

Anyone however believes in 100% security will always be a victim of a hack. Always store personal information knowing that somebody can get to it.

Filthy lies.

I dare you to get the information from this machine. It's locked in a steel cage, unplugged from the internet. Unpowered, been encased in 3ft of concrete, and dumped in the Mariana's Trench [wikipedia.org]. And the person who dumped it there has been put on a deserted island, buried up to his neck, and left to the animals.

I'm pretty sure we've got the security though obscurity covered here. Though, those pesky animals might have some weird form of osmosis, and might know the location now...

Re:

[able1234au]

...that and you just told all of slashdot where it is. See... someone always talks.

Re:

[bkcallahan]

It's why I just share them in the first place.

Re:

[Jeng]

How so?

The only reason they are in the news is because they were hacked, not because anyone thought they were relevant.

Re:

[Eponymous Hero]

i think that was the point AC was making.

Re:

[PNutts]

WHOOOSH!

Change password again

[Nkwe]

So now that it's patched Yahoo users should change their passwords again. Presumably if your account was on "the list" and you changed your password after the first disclosure, your credentials could have been compromised again - prior to the security hole being closed.

While this may sound obvious, I bet many folks don't realize the distinction between a disclosure announcement and correction of the problem. Many people probably assume that when a massive password disclosure is made, that the problem has already been fixed. In this case apparently not.

Re:Change password again

[arth1]

So now that it's patched Yahoo users should change their passwords again. Presumably if your account was on "the list" and you changed your password after the first disclosure, your credentials could have been compromised again - prior to the security hole being closed.

While this may sound obvious, I bet many folks don't realize the distinction between a disclosure announcement and correction of the problem. Many people probably assume that when a massive password disclosure is made, that the problem has already been fixed. In this case apparently not.

What seems obvious, but which some people obviously don't realise, is that the vulnerable services were taken offline until they were fixed.

Re:

[PNutts]

Which confuses me because Yahoo Mail was offline for me during this time. There was a maintenance notice and when my mail was available, my contacts weren't (for awhile). Does this mean it was more than what was disclosed?

Re:

[arth1]

Which confuses me because Yahoo Mail was offline for me during this time. There was a maintenance notice and when my mail was available, my contacts weren't (for awhile). Does this mean it was more than what was disclosed?

My guess is that they closed more than what was strictly necessary, while they verified just what had been affected. Which is good practice.

Re:

[jones_supa]

There should be some de facto standard "how to choose a good password" guide, hosted by EFF or some other reputable organization. Then we would recommend web services to have a link to this guide during password creation process.

Re:

[arth1]

There should be some de facto standard "how to choose a good password" guide, hosted by EFF or some other reputable organization. Then we would recommend web services to have a link to this guide during password creation process.

Like this, you mean? [us-cert.gov]

The problem with authoritative guides for this is that if most people follow the guide without thinking, the job becomes easier for the crackers. They can then use partial rainbow tables that exclude everything that the guide tells people not to do, and include what they tell them to do. Passwords work best when they are as varied as possible.

Re:

[davidwr]

Well, yes and no.

It's still not a good idea to use very short passwords "just because the bad guys won't check for them because the security guide tells you not to use them."

It's very quick for a bad guy to check all possible 4-character symbols that appear on a US keyboard, so there's not much point in him NOT checking them all, even in a world where the odds of someone using that password are the proverbial "1 in a million".

Now, as that great philosopher Randall Munroe pointed out [xkcd.com], a complicated-looking p

Re:

[Sir_Sri]

In this case the yahoo's official stance was that these were all username/pwd pairs from 2010 when yahoo acquired/merged/whatever with the service in question. So the users in question could even have changed their passwords in the intervening 2 years and still been relatively safe. That could be complete bullshit or completely wrong, I have no idea. I would think yahoo by 2010 would have known enough about security to not have a plaintext password, but you never know.

But yes, the problem with 'change yo

Re:

[uigrad_2000]

The hack was to Yahoo Voice, which hasn't been operated by Yahoo for 4 years now.

450,000 accounts on Yahoo Voice actually astonishes me. I've never met anyone who has ever used that service, including my friends that currently work at Yahoo.

Yahoo! itself is still relevant. People still use delicio.us, flickr, and Yahoo! groups a lot. Their sports pages are far less bloated than ESPN's, so I use them every day.

Re:

[poetmatt]

of the "450k" the question is how many aren't bots?

It's probably harder to find legitimate users than it is to find bots overall with all of yahoo's services. They never seem to care about the spam/abuse in general.

Re:

[davidwr]

450,000, with "n" of them people who signed up just to try it out.

The value of "n" is left as speculation for the reader.

storage of passwords was/is the security hole

[GodWasAnAlien]

The security flaw was the storage of the passwords rather than passwords hash.

Did they fix that?

Re:

[garett_spencley]

"The security flaw was the storage of the passwords rather than passwords hash."

It was a security flaw. Ideally the passwords would be stored hashed (and salted) and their software would not have made them vulnerable to an SQL injection. I mean seriously, an SQL injection?! The software should be using a database abstraction layer or an ORM that takes care of normalizing SQL automatically. These days there's really no excuse for that one. ... but then, storing passwords as plain text too ... I had WAY highe

Their e-mail made no sense

[slashmydots]

I happened to have joined Associated Content just barely prior to may 2010 so I got one of Yahoo's e-mails on my road runner e-mail account, which is what I used to sign up for AC. It seemed to advise me to change my e-mail password ASAP. AC doesn't know my e-mail address password so I'm not sure I quite understand that one. I'll paste the entire thing below. Does anyone know what they actually stole?! Am I supposed to change my AC account password?

You may have read in press reports that Yahoo! recently confirmed an older file containing approximately 450,000 email addresses and passwords—provided by writers who had joined Associated Content prior to May 2010—was publicly posted on the Internet. This file was a standalone file that was not used to grant access to Yahoo! systems and services. This message is being sent to an email address in this compromised file.

We are taking important steps to address this issue and have now fixed the vulnerability that led to the disclosure of the data and enhanced our underlying security controls. As a non-Yahoo! account holder, we apologize that we cannot provide you a direct means to secure your account. We strongly recommend that you employ the security mechanisms recommended by your email service provider to secure your account.

Additionally, given the high frequency of consumers using the same login information on services across the Internet, we strongly advise users to:

Change their passwords for any account they hold every few months,
Use a different password for each service or website, and
Create passwords using a mixture of characters, symbols, and numbers.


We also suggest that you proactively monitor the activity on any account you have created online. Specifically, be on the lookout for spam originating from your email, and check your sign-in activity from time to time. If you see anything suspicious—like your account was accessed in Romania when you were home in Chicago—you should change your password immediately.

We take security very seriously at Yahoo! and invest heavily in protective measures to ensure the security of our users and their data across all our products. In addition, we will continue to take significant measures to protect our users and their data.

We sincerely apologize for this matter. Yahoo! Inc.

Re:

[Sir_Sri]

ya, it looks like the yahoo android app has some problem with it.

http://www.zdnet.com/new-yahoo-app-vulnerability-explains-android-spam-7000000964/

At the same time, there has been an nvidia forum breach, so anyone who used a shared username/pwd pair on those services might be vulnerable.

Re:

[PNutts]

A buddy at work and I also had the same thing happen (received SPAM from a known account). For mine the originating server was in Russia and his was in the Far East somewheres. In both cases the account owner is not aware of a breach, their passwords still work, etc. I think Yahoo! has a problem they haven't disclosed.

This is news???

[Sqr(twg)]

The headline is on par with "Bear observed defecating in forest."

If Yahoo had left the hole wide open, THAT would have been news.

Re:

[toonces33]

"Bear observed defecating in forest."

Dammit - that was my password. Now I have to change it again.

Re:

[jamstar7]

Pics or it didn't happen

Dammit, that was my passphrase.

Now I gotta go through 79 different online services to change it... Thanks a lot, pal!