Clock this password breach as a seriously silly snafu by the yahoos at Yahoo.
Yes, it’s a security breach that has uncovered serious security missteps at the web’s most famous company starting with Y, leading to questions over exactly Y this snafu has happened.
Y’see, 453,000+ user accounts on a service called “Yahoo Voices” were stored as plain text – they weren’t hashed, re-hashed, salted, peppered or anything – just stored and served up raw by devilishly clever hackers.
The hackers are from a group called “D33Ds Company”, and using a technique known as “union-based SQL injection”, they were able to break into a site with the domain name “dbb1.ac.bf1.yahoo.com” with database command trickery that caused this particular database to divulge far more information than was clearly ever intended.
This, it is said, was from a service called “Associated Content”, a content-farm that Yahoo purchased – and then seemingly went about not properly securing.
Yahoo’s initial response has been a politically correct statement about only an “older file” being breach, with TechCrunch the first to post the company's note saying: “At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.
“We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday,July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords.
“We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com”, concluded the seriously unserious Yahoos.
What it all means is this: if you use the same password on multiple sites, you’re a yahoo.
It also means that even the biggest sites simply cannot be trusted to secure your password.
So, don’t be a yahoo and use the same password on more than one site, and for goodness sake, make sure that password is long and complicated with letters, numbers and characters.
Finally, if you’re really worried about how the heck you’re going to remember all those passwords, then invest in software like 1Password, while keeping a backup on paper hidden somewhere very, very safe that you’ll a) remember and b) won’t be found by others – like a locked Liberty Safe or some such.
Otherwise your password is one day virtually guaranteed to be exposed by some hacker, somewhere – just as the site “ShouldIChangeMyPassword.com” exposes, with over 10m compromised email addresses already in its database – one which might already include yours!