Yahoo Password Breach Puts Other Sites at Risk
On July 12th 2012, it was revealed that over 453,000 passwords for Yahoo Voices had been compromised. The attacker, referring to themselves as "D33Ds Company", announced that the attack was to signify a wake-up call to Yahoo that they needed to get serious about security.
Yahoo immediately downplayed the attack. A Yahoo spokeswoman said that "an older file" from 2006 had been compromised from Yahoo Voices, a company that Yahoo had purchased when it was known as Associated Content back in 2010. They added that less than 5% of the accounts were still valid.
Other Sites At Risk
But here's where things get interesting. The general public has demonstrated in the past that not only will they choose poor passwords if allowed, but that they will re-use the same passwords over and over again.
The file that was compromised by D33Ds contained user's email addresses and a password to Yahoo Voices. Analysis of this file by AOL indicated that almost 1,700 accounts of the Yahoo Voices file included valid passwords to their own service.
Google and Microsoft drew similar conclusions, although they declined to provide numbers.In the end, affected users across Gmail, AOL, Hotmail, MSN and Live.com services were required to change their password.
Analysis of Password Re-Use
Security professional Troy Hunt has drew some interesting conclusions by analyzing separate compromises to other organizations by user IDs. For example when Sony was breached, Tony analyzed the leaked user password file with a breach by online media site Gawker, finding 88 user accounts in common. His analysis showed two-thirds of compromised accounts matched using identical passwords.
Tony drew the same results with Yahoo Voices. By analyzing the Yahoo Voices password file against Sony's, he identified 302 identical users. Once more, almost two thirds (59%) used the same password. This highlights the fact that a compromise on one system can be re-purposed to compromise the same user on other independent systems.
Google, who has consistently demonstrated security best practices, fell victim in the Yahoo breach due to poor security password choices by impacted users. Even though Google was not directly compromised themselves, users demonstrating poor password practices lead them to be vulnerable at Google.
Aside from email, users have also opened themselves up to being compromised at their banking site, Paypal and more. Anywhere that the same user ID and password is used, they are vulnerable.
Who is to Blame and What Can Be Done?
There's little doubt that Yahoo failed to implement adequate security to it users of Yahoo Voices. Yahoo blames the third party they had purchased for poor security that they inherited, but this is no excuse.
Yahoo should have at least used a Web application firewall to block the attack that allowed D33Ds to break in. Furthermore, anywhere that passwords are stored should always be subject to strong encryption using a technique known as 'salting'. In the case of Yahoo, they had stored the passwords in plain-text.
Users share the blame though. Re-using the same password on other sites, no matter how strong the password may be, is demonstrating poor security. Every password should be unique. A compromise to one service should live in isolation from any chance of a domino affect to other services.
Users also need to frequently change passwords. Depending on the service, security professionals recommend generally recommending changing passwords every 30 days or each quarter.
Through the Yahoo security breach, we can all learn we each play an important part of being secure. It's easy to fingerpoint at company's failing to provide robust IT security, but in the end we are responsible for securing ourselves.