Previous month, LinkedIn, eHarmony, Formspring and Last.fm were among the major websites whose passwords were stolen and posted on the internet. The latest victim is Yahoo. Yes, it is hard to believe that Yahoo is a victim of password leak.
Previous month, a file containing about 6.5 million passwords and another file containing 1.5 million passwords were discovered on a Russian hacker forum called InsidePro.com, a website which offers hacking tools. Someone had posted the files so that other users can help crack the password as the passwords weren’t saved in a plain text file, rather they were encrypted with a technique called “hashing”. The hash strings were of LinkedIn and eHarmony, and the same was confirmed later by these websites.
Most of the major sites who were victims of password leaks had their passwords hashed, however, what comes as a surprise is that Yahoo didn’t have its passwords hashed! Over 450,000 passwords were stolen from Yahoo’s database, and the passwords were stored in a plain text file! A group of hackers confirmed the act saying they used the common SQL Injection technique to get hold of over 450k passwords. Since hashing of password is a common technique, or rather a standard, in the industry, all Yahoo had to say was this about its security:
“At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products,” the statement said
Yahoo has confirmed that the leak did take place, and the leaked file was an older file from the Yahoo Contributor Network, which was previously called as Associated Content – a content farm which compensated users in return for their written submissions, plus a bonus is given based on the traffic generated. The file apparently contained less than 5 percent of the Yahoo accounts which had valid passwords associated with them.
There are many ways to strengthen the security of a website. For instance, when Formspring had their passwords compromised, they had taken an extra step of caution beforehand by ‘salting’ the passwords, and as a result, hashes of Formspring were 200 times tougher to crack than hashes stolen from eHarmony and LinkedIn.
Other online giants like Google and Facebook offer multi level authentication in order to log in, so just in case a hacker gets hold of user’s credentials, he just can’t login to the account with two-step authentication activated as the user is required to punch in a code that is sent to user’s phone whenever a login attempt is made from an unrecognized device.
Analyzing the leaked passwords is quite amusing because more than 2200 of them are just 123456 and more than 780 passwords are just ‘password’, which shows how careless those users are. Make sure you pick a strong password when signing up for any service as passwords like ‘123456’ or ‘password’ is as good as leaving your door’s key in the lock itself.