Yahoo hit with password theft
Well, I guess we know at least one of the topics being talked about at today’s Yahoo shareholders meeting. Hackers have claimed to have made off with some 450,000 Yahoo accounts and posted the logins and passwords online.
The dump, posted on a public website by a hacking collective known as D33Ds Company, said it penetrated the Yahoo subdomain using what’s known as a union-based SQL injection. The hacking technique preys on poorly secured web applications that don’t properly scrutinize text entered into search boxes and other user input fields. By injecting powerful database commands into them, attackers can trick back-end servers into dumping huge amounts of sensitive information.
The hackers claim they mean no harm (other than stealing and posting private information, I guess) and are trying to issue a wake up call to Yahoo to improve its bad security.
CNET looked at the leaked passwords and confirmed that, yes, there are plenty of idiots out there:
• 2,295: The number of times a sequential list of numbers was used, with “123456” by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.
• 160: The number of times “111111” is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000” is used 71 times.
• 780: The number of times “password” was used as the password. Apparently, absolutely no thought went into security in these instances.
There’s a lot happening in the world. Through it all, Marketplace is here for you.
You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible.
Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.