ITWire

Home Business IT Security Over 400,000 Yahoo Voices accounts breached

Over 400,000 Yahoo Voices accounts breached

Get all your tech news delivered to your mail box five days a week
iTWire UPDATE - it's FREE!


Anyone who has a Yahoo Voices account should be very sure that the username password combination wasn't used elsewhere.

It would seem that a SQL injection attack has 'liberated' over 400,000 accounts (and their passwords) from the close confines of the Yahoo Voices service.

iTWire has seen the liberated data and it seems genuine. However, we are confused. As a web-site owner, who in their right mind would store plain-text passwords? Note, for rather obvious reasons, no links to the raw data will be provided to the breached data (yes, we know about 'security by obscurity', but that won't change our mind).

However, for those wondering, the data consists of a userID, email address and plain-text password.

A word to the wise: if your Yahoo Voices password is the same as your email password? Don't bother changing either, you're screwed already! Changing the password would just annoy the hackers.

Now comes the analysis…
Password security is a process owned by two parties.

As users, we promise (sometimes with our fingers crossed) to use complex passwords that we don't use anywhere else (fat chance!).

On the other hand, websites promise (without the luxury of crossed fingers) to protect the authentication assets they have been trusted with.

With this in mind, not only is there a serious disconnect between these two groups, but the pain threshold is also rather asymmetric.

Hint to all website owners. If you hash passwords, you win one point per user. Another two points if you salt the hashes. And minus one hundred points (and a class action) for those who do neither.

Parallel hint to website owners - if you respond to a password-unknown request with the actual password, you lose. If you respond with a password-reset link, you break-even. (there is no win here).

RECRUITMENT & RETENTION REPORT 2013

HIRE OR FIRE? BUY OR BUILD

2013 is well underway and Australian companies need to know whether they should invest in IT skills training or pay a premium for the people they need.

If you want to know which choices are being made in your sector, what skills are hard to find, which sectors intend to hire or fire and where the IT spend is going, this free report is must have.

GET YOUR REPORT NOW

David Heath

joomla statistics

David Heath has over 25 years experience in the IT industry, specializing particularly in customer support, security and computer networking. Heath has worked previously as head of IT for The Television Shopping Network, as the network and desktop manager for Armstrong Jones (a major funds management organization) and has consulted into various Australian federal government agencies (including the Department of Immigration and the Australian Bureau of Criminal Intelligence). He has also served on various state, national and international committees for Novell Users International; he was also the organising chairman for the 1994 Novell Users' Conference in Brisbane. Heath is currently employed as an Instructional Designer, building technical training courses for industrial process control systems.

More in this category: « Ten new protections in Triton 7.7 Crikey hacked but back up and 'safe' to visit again »
back to top


Services

Company

Community

Connect

http://bs.serving-sys.com/BurstingPipe/adServer.bs?cn=tf&c=19&mc=imp&pli=5460041&PluID=0&ord=[2000]&rtu=-1