Thursday, July 12, 2012

Yahoo! Voices accounts hacked

Yahoo! Voices is Yahoo!’s online publishing and Contributor Network.Yahoo-Voices-logo

It seems that the Yahoo! service was vulnerable to a simple database attack that leaked 453,000 unencrypted account passwords online.
The hackers, an unknown crew called D33Ds, claimed they used a union-based SQL injection technique to break into the Yahoo sub domain. They named it as a “Wake-Up call.”

I’m really surprised that why Yahoo! Voices was storing unencrypted passwords in its database unsalted one-way encrypted hashes would have been bad enough. I’m not sure if this Wake-Up call is going to work since a former call was done only last month when LinkedIn unsalted password were leaked too.

A document containing the lifted SQL structures, software variables, usernames and cleartext passwords is published on the hackers website.
The link is: http://d33ds.co.nyud.net/archive/yahoo-disclosure.txt

Statistics on the passwords are already available:

Total entries = 442773
Total unique entries = 342478

Top 10 passwords
123456 = 1666 (0.38%)
password = 780 (0.18%)
welcome = 436 (0.1%)
ninja = 333 (0.08%)
abc123 = 250 (0.06%)
123456789 = 222 (0.05%)
12345678 = 208 (0.05%)
sunshine = 205 (0.05%)
princess = 202 (0.05%)
qwerty = 172 (0.04%)

Top 10 base words
password = 1373 (0.31%)
welcome = 534 (0.12%)
qwerty = 464 (0.1%)
monkey = 430 (0.1%)
jesus = 429 (0.1%)
love = 421 (0.1%)
money = 407 (0.09%)
freedom = 385 (0.09%)
ninja = 380 (0.09%)
writer = 367 (0.08%)
Developers, Please take security seriously.
Everybody, Time to change our passwords.

No comments:

Post a Comment