Yahoo == Whoah! - a Quick Analysis of 450.000 Leaked Passwords

As some of you probably already noticed, it seems like half the internet thinks they got a free out of jail card when it comes to computer crimes. Today it was Yahoo’s turn to handover 456.581 email addresses including passwords. Just before you stop reading let me tell you the following: In this post you won’t find how you should store your customers passwords. And that you should alway’s nicely hash and salt them. And use an algorithm that takes a long time to bruteforce (cough cough) ow no I didn’t, I tricked you a bit did I? You did read all that stuff just now! Ow well, lets continue. There are plenty of posts out that that do exactly that (give you advice on how to store passwords) – some do a very poor job by the way… so when looking for this stuff make sure you ask somebody who knows where to find the right doco’s. What I will do though is give some more info about the data leak.

Unfortunately the leek itself has been taken offline (although I’m sure mirrors exists). And no I wont put it online here. It has been taken offline for a reason ;)

So what did the dump exactly contain? First the dump started with the usual info about the hacker group, who is responsible and stuff like that. Followed by the information about the database that got popped (including HOSTNAME, oops… not so responsible disclosure). Somebody (sorry can’t remember or find his twitter account) made a quick analysis that this was probably the database from the Yahoo Voice service. This service is a user contribution service on the Yahoo! network[1]

This information was followed by the dump of 456.581 email addresses including plain passwords. Lets do a quick analysis:

456581 password found
342513 unique passwords found

Top 10:
1667 x 123456
780 x password
437 x welcome
333 x ninja
250 x abc123
222 x 123456789
208 x 12345678
205 x sunshine
202 x princess
172 x qwerty

Till today these passwords are still being used and are still allowed. Isn’t it time we start to blacklist these passwords just like Twitter is already doing? Except for ninja, you cannot ban a ninja from your system….

Just before we wrap it up please remember the following: It is most likely that your customers will use a password in your application that they use somewhere else too. It is not uncommon (maybe even mainstream – hipsters this is your chance to change the general understanding of a password policy) for a user to have 2 or 3 passwords in total. So its very likely that the customers password in your database is also used for other applications eg email. Being aware of this is YOUR job. Not the customers. Security awareness will slowly increase under the general public but this will not change over night. You as a developer are responsible and you will have to create the rules when it comes to application security. Getting hacked can happen to everyone, but make sure that when it happens the data you store is stored safely. So NO plain passwords! cough captain obvious cough

Personally, I don’t think this is a responsible way of disclosing a vulnerability. But more on this so called “hacktivism” in a post planned later this week. So keep visiting DamnSecure! And don’t forget to follow me on twitter and put my blog in your RSS feed.

Well thats it for today. Stay warm (I don’t like being frosty)

Cheers, Ruben.