Codebreaker

Yahoo hit with password theft

John Moe Jul 12, 2012

Well, I guess we know at least one of the topics being talked about at today’s Yahoo shareholders meeting. Hackers have claimed to have made off with some 450,000 Yahoo accounts and posted the logins and passwords online.

From Ars Technica:

The dump, posted on a public website by a hacking collective known as D33Ds Company, said it penetrated the Yahoo subdomain using what’s known as a union-based SQL injection. The hacking technique preys on poorly secured web applications that don’t properly scrutinize text entered into search boxes and other user input fields. By injecting powerful database commands into them, attackers can trick back-end servers into dumping huge amounts of sensitive information.

The hackers claim they mean no harm (other than stealing and posting private information, I guess) and are trying to issue a wake up call to Yahoo to improve its bad security.

CNET looked at the leaked passwords and confirmed that, yes, there are plenty of idiots out there:

• 2,295: The number of times a sequential list of numbers was used, with “123456” by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.
• 160: The number of times “111111” is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000” is used 71 times.
• 780: The number of times “password” was used as the password. Apparently, absolutely no thought went into security in these instances.

As a nonprofit news organization, our future depends on listeners like you who believe in the power of public service journalism.

Your investment in Marketplace helps us remain paywall-free and ensures everyone has access to trustworthy, unbiased news and information, regardless of their ability to pay.

Donate today — in any amount — to become a Marketplace Investor. Now more than ever, your commitment makes a difference.