If you have ever used a Yahoo! service now might be a good time to change your password. Yesterday someone stole a list of passwords from one of Yahoo!’s servers – it contained details of 450,000 accounts. The server was for Yahoo Voice, so if you’ve ever used Yahoo Voice then your account is now compromised. And if you’ve ever used the same password on other web sites then those are vulnerable as well.
Why didn’t Yahoo! use better securty?
Reports say that hackers used a SQL injection attack to steal the list, a common way to hack into web sites. There are many ways of storing passwords on a server and Yahoo! didn’t use the most advanced and secure method. So the passwords were easily converted to plain text. In short, Yahoo!’s programmers got lazy, their security wasn’t good enough.
What can we learn from Yahoo!’s mistakes?
- Yahoo’s problem is also your problem. Don’t ignore security alerts like this.
- If you work in software development, don’t be lazy. Block all kinds of SQL injection attacks. And don’t store passwords in plain text, or MD5 hashes, or other simple hashes.
- Everyone should use good passwords, mixed with numbers and made-up words.
- You should not reuse a password on other sites.
Update (16 July 2012):
Yahoo! has confirmed the breach and has fixed up the source of the problem. In their words, “We have… now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users”.
You should still change your password.