Yahoo Hack: Is Yours One of 450K Yahoo Passwords Public Right Now?

Written by Gina Smith

With news that a hacking group nabbed and posted more than 450K Yahoo Voice and email passwords here, anyone with a Yahoo account has got to be hitting that site to see if he or she was a victim. I know I did. Here’s what I saw.

Updated: Yahoo has released a statement saying it is working on the breach and that other email sites, including Hotmail, are likely compromised, too. NOTE: If you want to check your own or other users’ Yahoo email addresses  to see if they are part of the current leak, there’s an easy way to check here at Sucuri Malware Labs. Just type in your email address — and search.

If you hit the actual page where the so-called hackers popped up the passwords and email, you’ll be lucky to see it. They can hack, maybe, but they sure can’t handle the traffic. It would be funny — you’d think these guys could keep their site —  if this issue weren’t so serious.

Due to high traffic on this group’s site — as you see, it calls itself the d33ds group — the page is going up and down. I caught part of it in a cut and paste. In part, it reads:

We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call … not as a threat …

There have been many security holes exploited in webservers belonging to Yahoo …  that have caused far greater damage than our disclosure (today). Please do not take (the posting) lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage …

The author quotes author Jean Vanier from his book, Becoming Human: “Growth begins when we begin to accept our own weakness,” Vanier wrote.

If you’re a comic book fan, you might want to change your passwords RIGHT away.

CNET’s Declan McCullagh wrote a program to analyze the most frequently used passwords and e-mail domains that showed up in the post of 450K email addresses and passwords. He listed:

• 2,295: The number of times a sequential list of numbers was used, with “123456” by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.
• 160: The number of times “111111” is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000” is used 71 times.
• 780: The number of times “password” was used as the password. Apparently, absolutely no thought went into security in these instances.
• 233: The number of times “password” was used in conjunction with a few numbers behind it. Apparently, the barest minimum of thoughts went into security here.
• 437: The number of times “welcome” is used. With a password like that, you’re just asking to be hacked.
• 333: The number of times “ninja” is used. Pirates, unfortunately, didn’t make the list.
• 137,559: The number of Yahoo credentials that were leaked.
• 106,873: The number of Gmail credentials that were leaked. Hotmail, which was the next most frequently cited e-mail service, had fewer than half the number of users hit.
• 161: The number of times “freedom” is used, suggesting a lot of patriotic users. “America” was used 68 times.
• 161: The number of times the f-word is used in some combination. There are a lot of angry people out there.
• 133: The number of times “baseball” appears as a password. It’s the most popular sport on the list, proving that it is indeed America’s national pastime. It just may not be the best password.
• 106: The number of times “superman” is used as a password. That’s nearly double the amount of times “batman” is used and triple the frequency of “spiderman.”
• 52: The number of times “starwars” is used. The force is not with this password.
• 32: The number of times “lakers” appears. It tied with “maverick,” although fortunately “the_heat” or “celtics” weren’t on this list.
• 56: The number of times “winner” is used.
• 27: The number of times “ncc1701” is used as a password. For those of you who aren’t trekkies, that’s the designation code for the Starship Enterprise. “startrek” is used 17 times, while “ncc1701a,” the designation for the Enterprise used in later Star Trek movies, is used 15 times.

Who are these people? What are the ramifications for Yahoo, already a beleaguered player? Send me your comments — name, city, title, link back — and I’ll add them to the piece. Anonymous tips, no pun intended, welcome too! ED

1 Comment