Yahoo's password hack shows that it failed security 101

@CNNMoneyTech July 12, 2012: 2:16 PM ET

NEW YORK (CNNMoney) -- If it wasn't clear before, it certainly is now: Your username and password are almost impossible to keep safe.

Nearly 443,000 e-mail addresses and passwords for a Yahoo site were exposed late Wednesday. The impact stretched beyond Yahoo because the site allowed users to log in with credentials from other sites -- which meant that user names and passwords for Yahoo (YHOO, Fortune 500), Google's (GOOG, Fortune 500) Gmail, Microsoft's (MSFT, Fortune 500) Hotmail, AOL (AOL) and many other e-mail hosts were among those posted publicly on a hacker forum.

What's shocking about the development isn't that usernames and passwords were stolen -- that happens virtually every day. The surprise is how easily outsiders cracked a service run by one of the biggest Web companies in the world.

The group of seven hackers, who belong to a hacker collective called D33Ds Company, got into Yahoo's Contributor Network database by using a rudimentary attack called a SQL injection.

SQL injections are one of the most basic tools in the hacker toolkit. By simply entering commands into the search field or URL of a poorly secured website, hackers can access databases located on the server that's hosting the site.

In this case, they were able to uncover the list of the Yahoo site's usernames and passwords.

That's something the hackers never should have been able to see. Usernames and passwords on huge websites are typically stored cryptographically and randomized, so that even if attackers were able to get their hands on the database, they wouldn't be able to decipher it.

In this case, Yahoo stored its Contributor Network usernames and passwords in plain text, which means the login credentials were immediately intelligible to anyone who broke in.

Security experts say they can tell that the credentials were stored without encryption because many were too long to crack using brute-force techniques.

"Yahoo failed fatally here," said Anders Nilsson, security expert and chief technology officer of Scandinavian security company Eurosecure. "It's not just one specific thing that Yahoo mishandled -- there are many different things that went wrong here. This never should have happened."

Nilsson said Yahoo screwed up on three fronts: The site should have been built more robustly, so it wouldn't have been susceptible to something as simple as a SQL attack. It should have secured users' log-in information, and it should have put the equivalent of trip-wires in place to set off alarm bells when such an easily noticeable break-in occurred.

"I mean, this is Yahoo we're talking about," Nilsson said. "With the security policies it has in place for its other sites, it should have known to at least put up a firewall to detect these kind of things."

Since many people reuse their passwords across multiple websites, Yahoo's security lapse means that all those users' logins are potentially at risk. Even robust passwords are at risk -- the longest password captured in the attack was 31 characters long, which is considered fairly ironclad. However, that password is now attached to an e-mail address and out in the wild for the world to see.

In a written statement, Yahoo said it takes security "very seriously" and is working to fix the vulnerability in its site. It called the captured password list an "older" file, but didn't say how old it was.

The company said it is in the process of changing the passwords of the affected Yahoo users and notifying other companies of their users' compromised accounts.

"We apologize to affected users," the company said in its statement. "We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."

Yahoo did not respond to a request for comment on why the passwords were stored in plain text.

Yahoo's Contributor Network is a small subsection of Yahoo's enormous network of websites. It consists of a group of freelance journalists who write content for a Yahoo site called Yahoo Voices. The Contributor Network was created last year as an outgrowth of Yahoo's 2010 purchase of Associated Content.

The stolen database predated Yahoo's Associated Content purchase, according to Joseph Bonneau, a Cambridge University researcher who once worked with Yahoo on a password analysis study. He no longer has any official relationship with the company.

"Yahoo can fairly be criticized in this case for not integrating the Associated Content accounts more quickly into the general Yahoo login system, for which I can tell you that password protection is much stronger," Bonneau said.

In a statement appended to the list of stolen credentials, the hackers said that their aim was to scare Yahoo into beefing up its defenses.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call," they wrote. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly."

The Yahoo hack comes a month after more than 6 million passwords were stolen from several sites including LinkedIn (LNKD) and eHarmony. In that case, the passwords were stored cryptographically, but they weren't randomized -- a weak storage system that security experts have been warning against for years.

Though Yahoo is generally viewed as following industry best practices, some security experts were startled when the University of Cambridge's Bonneau was given 70 million Yahoo passwords by the company for analysis earlier this year.

If Yahoo used a "hash" cryptographic tool and "salt" randomization -- both standard security measures -- the company wouldn't have been able to just send along a list of passwords, they pointed out.

"It's very weird," said Nilsson. "They shouldn't be able to do that."

Yahoo did not reply to requests for comment on how the company's passwords are stored. To top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.