July 13, 2012
Leaked Yahoo Passwords Compromise Other Services
Michael Harper for redOrbit.com - Your Universe Online
When hackers broke into Yahoo´s servers this week, it´s likely they did more damage than they expected. Though the hacking collective known as D33Ds Company said they only committed the cyber-crime to act as a “wake-up call,” they also dumped the more than 453,000 accounts and passwords online. D33Ds may have had good intentions, but the rest of the internet might not be so kind. Additionally, as many use the same passwords for multiple services, many more accounts continue to be compromised.
Now, some accounts for AOL, Google and Microsoft might also be compromised as a result of the massive dump. According to a Reuters report, these 3 companies have required some users to reset their passwords before entering AOL, Gmail, Hotmail, MSN and Live.com.
Yahoo issued an apology yesterday, saying the leaked data came from an older file from the Yahoo Contributor network. Though Yahoo has yet to say if the issue is fixed, they have said they are working on it and that less than 5% of the emails leaked had valid passwords. Says the official statement:
“We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.”
What made this leak different from the eHarmony, Last.Fm and LinkedIn leaks from a several weeks ago was the kind of data leaked. The D33Ds collective was able to get plaintext versions of both the account name and password, a lethal combination against online privacy. As is often the case, many users were also using the same credentials across multiple sites. Therefore, as these Yahoo accounts were leaked, so too were accounts for AOL, Gmail, Hotmail and the others.
AOL, for example, said the leaked Yahoo passwords included valid passwords for nearly 1,700 AOL accounts. AT&T, Comcast and Verizon also said they had accounts which were compromised by the leak.
In accordance with an apparent evolving trend, several security specialists have created tools to help users determine if their credentials have been compromised. One of these companies, Sucuri, has also released some disturbing information about these leaked passwords. More specifically, the passwords used to protect these accounts have been found to be a little less than failsafe.
For instance, according to the Sucuri report, 1,666 people are still using the less-than-secure password “123456.” The password “password” is still quite popular, as 780 of these leaked Yahoo accounts depended on this shoddy protection. Other disappointing passwords include “ninja,” “123456789,” “11111,” “qwerty,” and “123123.”
AOL Senior Vice President David Temkin told Reuters that while these kinds of compromised accounts can be used to send out email spam, his company stopped the situation before it became too troublesome.
“In this case, I think we actually got ahead of it before the people who stole those accounts were able to use them,” Temkin said.