Yahoo's Security Breach Is a 'Wake-Up Call' for Business

The inside story on how hackers stole nearly half a million passwords from Yahoo—and how you can avoid data theft.
Business Writers
July 13, 2012

Just in case you didn't heed the data-theft warning after the huge LinkedIn password theft in June, a recent Yahoo episode offers another reminder. Nearly 443,000 e-mail address and passwords for a Yahoo site were exposed late Wednesday, the company confirmed. (Mashable reported that the stolen passwords were users of Yahoo Voices, which lets registered users share their expertise on various topics, including, of course, small business.)

If that's not bad enough, the impact was much bigger, because Yahoo! let users log in with credentials from other sites (Google's Gmail, Microsoft's Hotmail, AOL and others). The pilfered e-mail address and passwords were posted online. The original site where they appeared was down on Thursday morning, but the text file is still available on various other sites.

Where the Data Came From

Boston data security consultant Rapid 7 reported that the breached passwords were from:

  • 137,559 occurrences at yahoo.com

  • 106,873 occurrences at gmail.com

  • 55,148 occurrences at hotmail.com

  • 25,521 occurrences at aol.com

  • 8,536 occurrences at comcast.net

  • 6,395 occurrences at Microsoft's msn.com

  • 5,193 occurrences at sbcglobal.net

  • 4,313 occurrences at live.com

  • 3,029 occurrences at verizon.net

  • 2,847 occurrences at bellsouth.net

Yahoo released a statement saying that less than 5 percent of the accounts that were breached had "valid passwords." "We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com," according to the statement.

The Hackers

The group claiming responsibility for the attack is a collective of seven hackers known as the D33D Company. They used what's known as an SQL injection, a very basic attack hackers use on poorly secured websites. For an SQL injection, data thieves enter commands into a search field or URL and then access databases located on the server that's hosting the site. In this case, the group came up with hackers' gold: usernames and passwords stored in plain text, meaning the attackers had to do no further work to use them. (Passwords, of course, should be encrypted. Click here for more on this, plus where LinkedIn went wrong.)

Anders Nilsson, a security expert and chief technology officer of Scandinavian security company Eurosecure told CNN Money that, "Yahoo failed fatally here. It's not just one specific thing that Yahoo mishandled. There are many different things that went wrong here. This never should have happened."

Yahoo's Three Mistakes

Yahoo's error was three-fold, Nilsson adds. First, the site should have been engineered to make it impervious to something like an SQL attack. Second, Yahoo should have encrypted users' login information. Finally, there should have been an alert that the break-in occurred—especially because this was not a sophisticated break-in.

"I mean, this is Yahoo we're talking about," Nilsson says. "With the security policies it has in place for its other sites, it should have known to at least put up a firewall to detect these kind of things." The hacker collective reportedly said of its work: "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call."

Have you suffered a security breach? (Before you answer, double-check the security arrangements for your own data.)

Photo credit: Thinkstock