Yahoo Hacked...453,000 Passwords Leaked

[Jayman]

Just google yahoo hacked for many stories on this

http://www.theregister.co.uk/2012/07/12/yahoo_voice_password_flap/

Here is the list of compromised accounts for all that want to download and see if their password has been exposed..

http://thepiratebay.se/torrent/7436152/yahoo-disclosure.txt

A Yahoo! service has apparently succumbed to a simple database attack that leaked 453,000 unencrypted account passwords online.

A huge document containing the lifted SQL structures, software variables, usernames and cleartext passwords was linked to from a web forum. In the file, the hackers described the break-in as "a wake-up call and not a threat".

[think_too_mut]

Last Thursday (July 5th), 2am BKK time, I was on a conference call and noticed a pop up that my wife (in Thai on holidays) has signed up and signed out.

Asked her in the morning, she said "no way, had not touched any computer since leaving Japan".

Now, it explains it. Seems like someone is using some automatic tool to check if they can sign in with the stolen passwords. What do they do with that?

Billions and billions of email messages, who would sift through that to find something they can use?

Perhaps, using that email address to gather email addresses in the accounts box they can spam to?

No change in the account, I went into it. Nothing sent from there, nothing received.

[Jayman]

Last Thursday (July 5th), 2am BKK time, I was on a conference call and noticed a pop up that my wife (in Thai on holidays) has signed up and signed out.

Asked her in the morning, she said "no way, had not touched any computer since leaving Japan".

Now, it explains it. Seems like someone is using some automatic tool to check if they can sign in with the stolen passwords. What do they do with that?

Billions and billions of email messages, who would sift through that to find something they can use?

Perhaps, using that email address to gather email addresses in the accounts box they can spam to?

No change in the account, I went into it. Nothing sent from there, nothing received.

They used a SQL injection to dump the database.. it just so happened to have all the passwords in plaintext. They are not just yahoo email addresses but specific to the yahoo voice service.

[think_too_mut]

Last Thursday (July 5th), 2am BKK time, I was on a conference call and noticed a pop up that my wife (in Thai on holidays) has signed up and signed out.

Asked her in the morning, she said "no way, had not touched any computer since leaving Japan".

Now, it explains it. Seems like someone is using some automatic tool to check if they can sign in with the stolen passwords. What do they do with that?

Billions and billions of email messages, who would sift through that to find something they can use?

Perhaps, using that email address to gather email addresses in the accounts box they can spam to?

No change in the account, I went into it. Nothing sent from there, nothing received.

They used a SQL injection to dump the database.. it just so happened to have all the passwords in plaintext. They are not just yahoo email addresses but specific to the yahoo voice service.

Well, yet another blow for the troubled Yahoo (as a company). That could be the most they (the hackers) could cause out of that, could even be terminal for Yahoo.

Yahoo has a storage server for every 50 thousand users. Not sure how widespread this incident could be. Certainly, exposes the whole Yahoo security measures.

[canuckamuck]

I really don't get hackers.

I can see there is some sort of God complex where they get a rush out of showing the big companies that they are smarter then their security. But why not leave a note and proof of the hacking? Why expose hundreds of thousands of innocent people to criminals. Because certainly only criminals would want the passwords.

They should catch feckers and drag em up the street by their nerdly nads.

[transam]

I really don't get hackers.

I can see there is some sort of God complex where they get a rush out of showing the big companies that they are smarter then their security. But why not leave a note and proof of the hacking? Why expose hundreds of thousands of innocent people to criminals. Because certainly only criminals would want the passwords.

They should catch feckers and drag em up the street by their nerdly nads.

We can hope, BUT, they will have had a troubled upbringing and we will have to take care of them no doubt.

[Pib]

Thanks for the info. Although I rarely use Yahoo mail (I use Gmail), I went to my Yahoo account and changed my password.

[h90]

I really don't get hackers.

I can see there is some sort of God complex where they get a rush out of showing the big companies that they are smarter then their security. But why not leave a note and proof of the hacking? Why expose hundreds of thousands of innocent people to criminals. Because certainly only criminals would want the passwords.

They should catch feckers and drag em up the street by their nerdly nads.

yeah they could write every user an email with the last 3 digits of the password and some funny text....

[submaniac]

Thanks OP for the headsup. I checked and my password was OK (I don't use the voice thingy). I found it interesting the top 10 passwords that were hacked:

Here are the top 10 passwords from the Yahoo hack:

1. 123456 = 1666 (0.38%)
   
2. password = 780 (0.18%)
   
3. welcome = 436 (0.1%)
   
4. ninja = 333 (0.08%)
   
5. abc123 = 250 (0.06%)
   
6. 123456789 = 222 (0.05%)
   
7. 12345678 = 208 (0.05%)
   
8. sunshine = 205 (0.05%)
   
9. princess = 202 (0.05%)
   
10. qwerty = 172 (0.04%)
    

Here are the top 10 base words from the Yahoo hack:

1. password = 1373 (0.31%)
   
2. welcome = 534 (0.12%)
   
3. qwerty = 464 (0.1%)
   
4. monkey = 430 (0.1%)
   
5. jesus = 429 (0.1%)
   
6. love = 421 (0.1%)
   
7. money = 407 (0.09%)
   
8. freedom = 385 (0.09%)
   
9. ninja = 380 (0.09%)
   
10. writer = 367 (0.08%)
    

taken from here: http://www.zdnet.com/the-top-10-passwords-from-the-yahoo-hack-is-yours-one-of-them-7000000815/

[Jayman]

Yeah.. was planning to add those to my bruteforce dictionary file.

[dutchflowers]

http://labs.sucuri.net/?yahooleak

Here you can check if your account was hacked

[Jayman]

http://labs.sucuri.net/?yahooleak

Here you can check if your account was hacked

Yeah that's what I want to do..submit my email address to some new database to see if it's been compromised. I'm sure they won't sell it to spammers. Better yet just download the entire list I posted in the op and search it yourself.

You all put down the hackers but they prey on your laziness and ignorance.

[canuckamuck]

Yes that's why we put them down.

[Jayman]

Yes that's why we put them down.

yes.. it's basic psychology to fear/dislike things we don't understand.

Fact of the matter is that when they expose these HUGE security flaws it's not to hurt the end-user but rather to get the big companies like M$ to get off their asses and fix the problems.

If the hackers wanted to do evil with the list of usernames/passwords then why did they post it publicly? Seems if evil was the intention then they would have kept the hack a big secret.

[canuckamuck]

Yes that's why we put them down.

yes.. it's basic psychology to fear/dislike things we don't understand.

Fact of the matter is that when they expose these HUGE security flaws it's not to hurt the end-user but rather to get the big companies like M$ to get off their asses and fix the problems.

If the hackers wanted to do evil with the list of usernames/passwords then why did they post it publicly? Seems if evil was the intention then they would have kept the hack a big secret.

Hey I like you, but we disagree here. Why do they think they are responsible for finding security flaws in someone else's company, If they want to do something useful and non destructive, why don't they just show the companies that they can improve their security for a fee. At the very least they are creating disruption and driving up costs.

And I think posting peoples passwords on the internet is evil.

[petedk]

http://labs.sucuri.net/?yahooleak

Here you can check if your account was hacked

Yeah that's what I want to do..submit my email address to some new database to see if it's been compromised. I'm sure they won't sell it to spammers. Better yet just download the entire list I posted in the op and search it yourself.

You all put down the hackers but they prey on your laziness and ignorance.

I just clicked on the link you posted and it's and "exe" file. No way will I download that.

[Jayman]

http://labs.sucuri.net/?yahooleak

Here you can check if your account was hacked

Yeah that's what I want to do..submit my email address to some new database to see if it's been compromised. I'm sure they won't sell it to spammers. Better yet just download the entire list I posted in the op and search it yourself.

You all put down the hackers but they prey on your laziness and ignorance.

I just clicked on the link you posted and it's and "exe" file. No way will I download that.

You must be high.. I posted no link with an exe... post the link here for all to see if you claim different.

[petedk]

http://labs.sucuri.net/?yahooleak

Here you can check if your account was hacked

Yeah that's what I want to do..submit my email address to some new database to see if it's been compromised. I'm sure they won't sell it to spammers. Better yet just download the entire list I posted in the op and search it yourself.

You all put down the hackers but they prey on your laziness and ignorance.

I just clicked on the link you posted and it's and "exe" file. No way will I download that.

You must be high.. I posted no link with an exe... post the link here for all to see if you claim different.

No I am not high but I must admit I never use PiratBay. I clicked on the big green "downlaod" sign and up popped an exe file.

After reading your comment to me I checked again and saw the "download torrent" in smaller letters.

thanks for your kind help

[supashot]

I really don't get hackers.

I can see there is some sort of God complex where they get a rush out of showing the big companies that they are smarter then their security. But why not leave a note and proof of the hacking? Why expose hundreds of thousands of innocent people to criminals. Because certainly only criminals would want the passwords.

They should catch feckers and drag em up the street by their nerdly nads.

God Complex: how come 1 guy can compromise the work of 100 of admins from Yahoo? Maybe if the companies takes security issues and spend more on IT security budget. IT budget is usually under 7% of a company turn over, then less than 10% are dedicated to security.

Proof of hacking: history show that most who in good will got either arrested or never thanks.

If they were criminals they would have kept it private and extract all juicy private details such as medical records, banking details and more.

Yahoo, hotmail have been compromised several times in the past, and will be again for sure.

[Jayman]

Yes that's why we put them down.

yes.. it's basic psychology to fear/dislike things we don't understand.

Fact of the matter is that when they expose these HUGE security flaws it's not to hurt the end-user but rather to get the big companies like M$ to get off their asses and fix the problems.

If the hackers wanted to do evil with the list of usernames/passwords then why did they post it publicly? Seems if evil was the intention then they would have kept the hack a big secret.

Hey I like you, but we disagree here. Why do they think they are responsible for finding security flaws in someone else's company, If they want to do something useful and non destructive, why don't they just show the companies that they can improve their security for a fee. At the very least they are creating disruption and driving up costs.

And I think posting peoples passwords on the internet is evil.

yes but if they just sent a letter to yahoo and yahoo doesn't go public then you as an end user are stuck never knowing if your account was compromised. Or you trust yahoo to make you aware that they dropped the ball on protecting your info?