450,000 Yahoo Accounts Compromised

Hackers were able to acquire over 450,000 Yahoo account passwords and posted it online last July 11, Wednesday.

Yahoo verified the incident in a statement on Thursday, July 12, and stated that the hacked accounts are contained in an “older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords.” But they assured users that “less than 5% of the compromised accounts had valid passwords.”

Yahoo apologized and said, “We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised.”

Several technology news websites have named the hackers, who identified themselves as the D33D Company. After posting the hacked accounts, they also posted a statement saying, “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in Web servers belonging to Yahoo Inc. that have caused far greater damage than our disclosure. Please do not take them lightly.”

Gabriel Tuason, a specialist on online security for the private sector, explained the implications of such compromised passwords. He said the use of passwords is an authentication mechanism. Getting a password is the simplest way of finding out the identity of a user.  If a password or a set of passwords is compromised, so is the identity of the users.

Tuason also explained the implications to a company if its database of passwords is hacked, “Then obviously unauthorized users now have access to accounts they should not have had access to or own.  But on the business-side, one of the most serious repercussions of a compromise is loss of trust and confidence from your users and customers.” He added that the situation is aggravated if the extent of the compromise of the systems is made public or reported in the media.

For a company to avert the risks of attacks, Tuason advised this: “The first step is user education.  But this should be education that users can relate to or understand, meaning not too technical in nature.  This could include how to create strong passwords, how to avoid social engineering attacks, how to safeguard your passwords for multiple sites, etc.”

He also recommended that companies can implement some technical controls to secure its database. Such methods are having two-factor authentication and implementing strong encryption on their password databases.

Two-factor authentication, Tuason said, needs two things: what you have (a token) and what you know (a set of numbers).  “One example of how this works is you have a token or device which has a set of 6 numbers that change every 5 minutes.  At the same time, you have another set of 6 numbers that you only know.  If you enter a site, you need to enter the numbers appearing on your device and the set of numbers you have in your head to be allowed in the site.  Even if your token gets stolen, it is not usable unless they also know your fixed set of 6 numbers.”

On the other hand, implementing strong encryption on password databases means “passwords should not be in clear text.  Otherwise, anybody who gets access to it can actually read the user information.  By using strong encryption, it becomes hard for attackers to actually gain user information even if the database gets compromised,” Tuason explained.

According to CNET, the most commonly used passwords in the compromised accounts were identified as “123456” and “password”.

The National Disaster Risk Reduction and Management Council released on its Facebook account an advisory reporting the said breach and advised the public to update and replace passwords now and on a regular basis. They also advised to use different passwords in different accounts and make them more secure by alternating the use of letters, numbers, and symbols in them.