It would seem that a SQL injection attack has 'liberated' over 400,000 accounts (and their passwords) from the close confines of the Yahoo Voices service.
iTWire has seen the liberated data and it seems genuine. However, we are confused. As a web-site owner, who in their right mind would store plain-text passwords? Note, for rather obvious reasons, no links to the raw data will be provided to the breached data (yes, we know about 'security by obscurity', but that won't change our mind).
However, for those wondering, the data consists of a userID, email address and plain-text password.
A word to the wise: if your Yahoo Voices password is the same as your email password? Don't bother changing either, you're screwed already! Changing the password would just annoy the hackers.
Now comes the analysis…
As users, we promise (sometimes with our fingers crossed) to use complex passwords that we don't use anywhere else (fat chance!).
On the other hand, websites promise (without the luxury of crossed fingers) to protect the authentication assets they have been trusted with.
With this in mind, not only is there a serious disconnect between these two groups, but the pain threshold is also rather asymmetric.
Hint to all website owners. If you hash passwords, you win one point per user. Another two points if you salt the hashes. And minus one hundred points (and a class action) for those who do neither.
Parallel hint to website owners - if you respond to a password-unknown request with the actual password, you lose. If you respond with a password-reset link, you break-even. (there is no win here).