Arik Hesseldahl

Recent Posts by Arik Hesseldahl

Another Bad Day for Passwords, This Time at Yahoo

Shutterstock/Péter Gudella

Yahoo confirmed today that a bunch of passwords — more than 450,000 of them, to be exact — have been stolen.

The breach of Yahoo’s servers was supposedly the work of a group of hackers that called itself the D33D Company, saying in a post that the action was meant to wake up Yahoo’s computer security team and not for malicious purposes.

As data breaches go, the number of accounts compromised wasn’t that large. Earlier this summer, LinkedIn suffered a breach that compromised the passwords of some six million of its customers.

In LinkedIn’s case, the passwords were stored in a marginally scrambled state — not strongly encrypted as they should have been, but in a mixed-up state, using an old, easy-to-break hashing technique known as MD5.

In the case of Yahoo, the passwords are said to have been stored in raw plaintext, which anyone with even the slightest bit of training in IT security knows is a no-no. If that is indeed how these passwords were stored, then Yahoo has some explaining to do.

The attack itself seems to have been carried out using a favorite old hacker technique known as an SQL injection. Basically, a Web application sitting on top of a database is tricked into serving up information because it hasn’t been told not to answer queries for it.

In this case, according to Kyle Adams, chief security architect for Mykonos Software, a unit of Juniper Networks, the attack was a variant of SQL injection known as a Union Based attack, in which the database hands over hundreds of passwords in a single go. Since it only takes a small number of requests to yield a lot of information, they’re hard to detect.

Yahoo is in damage-control mode. It said in a statement that it “takes security very seriously,” and pointed out that fewer than 5 percent of the Yahoo accounts involved had valid passwords. If that’s the case, then there’s a good chance that many of the passwords its database handed over are expired. Also, there’s no mention of the email addresses and passwords being stored in plaintext, but I doubt there will be. Here’s Yahoo’s full statement:

“At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to all affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.”

As you can imagine, security research companies are running fast and furiously to analyze the attack and the data that’s been published so far. I got one interesting file from the people at Rapid7, with whom I talk from time to time. Large numbers are usually an abstraction. If someone says a half-million accounts have been compromised, you can imagine the scale, but it’s harder to get your head around how many people’s accounts may actually be involved.

Rapid7′s researchers put together a file with the number of domains seen in email addresses of the compromised accounts: There are 35,000 of them. Below is a list of the top 100 or so which had at least 100 addresses appear in the list. The number to the left is the number of accounts from the given domain. For context: If what Yahoo says is true and only 5 percent of the Yahoo accounts on this list were paired with still-current passwords, then that works out to 6,878 Yahoo accounts compromised. If that rate remains consistent across the entire list, then we’re talking a total of about 23,000 accounts.

Rapid7 also shared with me the most common passwords seen in the file taken in the breach. The most common among them? 123456. Yes. Really. The list of passwords, including the number of each found in the list, is after the list of domains.

137,559 yahoo.com
106,873 gmail.com
55,148 hotmail.com
25,521 aol.com
8,536 comcast.net
6,395 msn.com
5,193 sbcglobal.net
4,313 live.com
3,029 verizon.net
2,847 bellsouth.net
2,260 cox.net
2,133 yahoo.co.in
2,077 ymail.com
2,028 hotmail.co.uk
1,943 earthlink.net
1,828 yahoo.co.uk
1,611 aim.com
1,436 charter.net
1,372 att.net
1,146 mac.com
1,131 rediffmail.com
1,124 googlemail.com
1,053 rocketmail.com
928 juno.com
853 optonline.net
810 yahoo.ca
572 peoplepc.com
546 mail.com
536 excite.com
453 netzero.com
433 netzero.net
419 embarqmail.com
400 yahoo.co.id
367 live.co.uk
344 insightbb.com
342 shaw.ca
339 windstream.net
336 inbox.com
336 btinternet.com
322 tampabay.rr.com
321 lycos.com
316 mchsi.com
313 yahoo.com.au
307 netscape.net
302 roadrunner.com
299 gmx.com
298 myway.com
287 yahoo.fr
273 rogers.com
273 cfl.rr.com
268 me.com
255 yahoo.com.ph
252 associatedcontent.com
251 frontiernet.net
245 sympatico.ca
243 adelphia.net
236 centurytel.net
217 live.ca
206 email.com
202 163.com
201 suddenlink.net
200 cableone.net
180 hughes.net
177 abv.bg
176 mindspring.com
174 yahoo.com.sg
173 yahoo.in
169 bigpond.com
168 ntlworld.com
168 ac.com
161 us.army.mil
161 nc.rr.com
160 mail.ru
154 tmail.com
152 yahoo.com.my
152 in.com
149 usa.com
146 telus.net
144 yahoo.cn
140 tds.net
139 prodigy.net
134 q.com
130 netscape.com
128 optusnet.com.au
126 qq.com
126 126.com
125 cs.com
124 yahoo.com.cn
123 rock.com
122 wi.rr.com
119 alltel.net
114 fuse.net
114 carolina.rr.com
112 wowway.com
110 rochester.rr.com
110 pacbell.net
109 tx.rr.com
109 austin.rr.com
108 triad.rr.com
107 wmconnect.com
103 ptd.net
101 msu.edu
100 woh.rr.com
99 nyu.edu

123456␣ 1667
password – 780
welcome - 437
ninja - 333
abc123 – 250
123456789 - 222
12345678 - 208
sunshine – 205
princess – 202
qwerty – 172
writer – 164
monkey – 162
freedom – 161
111111 – 160
michael – 160
iloveyou – 140
password1 – 139
shadow – 134
baseball – 133
tigger – 132
1a1a1a1b – 131
success – 126
blackhatworld – 121
jordan – 111
whatever – 110
michelle – 109
dragon – 107
superman – 106
purple – 106
1234567 - 106
ashley – 103
123123 – 101
associated – 101
babygirl – 100
ginger – 100
maggie – 99
0 – 98
computer – 98
trustno1 – 95
cookie – 93
football – 93
blessed – 92
jasmine – 92
samantha – 91
pepper – 90
charlie – 90
nicole – 88
justin – 88
654321 – 88


Latest Video

View all videos »

Search »

The problem with the Billionaire Savior phase of the newspaper collapse has always been that billionaires don’t tend to like the kind of authority-questioning journalism that upsets the status quo.

— Ryan Chittum, writing in the Columbia Journalism Review about the promise of Pierre Omidyar’s new media venture with Glenn Greenwald