Saturday, July 14, 2012

Yahoo's Associated Content/Yahoo Voices Password Leak

I'm sure by now you've all heard about Yahoo being compromised, at least those who signed up for Associated Content (now Yahoo Voices). But it's not just those with yahoo email accounts, it has also affected a bunch of other users including Hotmail, GMail, Comcast, and AOL. I don't recall ever having signed up with Associated Content, but I obviously did with one of my numerous non-Yahoo email addresses because, boom, there it is- one of the 450,000 compromised accounts.

Although news of the hack was issued several days ago, I only just received an apology email from yahoo, with a recommendation to change my password.
You may have read in press reports that Yahoo! recently confirmed an older file containing approximately 450,000 email addresses and passwords—provided by writers who had joined Associated Content prior to May 2010—was publicly posted on the Internet. This file was a standalone file that was not used to grant access to Yahoo! systems and services. This message is being sent to an email address in this compromised file.

We are taking important steps to address this issue and have now fixed the vulnerability that led to the disclosure of the data and enhanced our underlying security controls. As a non-Yahoo! account holder, we apologize that we cannot provide you a direct means to secure your account. We strongly recommend that you employ the security mechanisms recommended by your email service provider to secure your account.

Additionally, given the high frequency of consumers using the same login information on services across the Internet, we strongly advise users to:

• Change their passwords for any account they hold every few months,
• Use a different password for each service or website, and
• Create passwords using a mixture of characters, symbols, and numbers.

We also suggest that you proactively monitor the activity on any account you have created online. Specifically, be on the lookout for spam originating from your email, and check your sign-in activity from time to time. If you see anything suspicious—like your account was accessed in Romania when you were home in Chicago—you should change your password immediately.

We take security very seriously at Yahoo! and invest heavily in protective measures to ensure the security of our users and their data across all our products. In addition, we will continue to take significant measures to protect our users and their data.

We sincerely apologize for this matter.
Yahoo! Inc.

Thanks to all the spam, scam, phishing and hacker reprobates out there (who should be hung and quartered for causing everyone so much grief), I have changed my email password several times since 2010, so I think I'm okay, although this article on CNET doesn't seem to think so.

Apparently, the hacking group that dumped all those emails and passwords for the whole world to see (in plain text to boot) claims it did it as a "wake up call to the parties responsible for the security of the hacked site." No malicious intent, they say.  So we 'individual users' have to suffer the consequences for the hacked site's' major security inadequacies?  That's pretty darn malicious. They too deserve to be tortured, along with those companies that have such lax security their sites are hackable.

The hackers site, (which is not up an running right now), released a url address on their twitter account on July 12:

SQL Injection found in Yahoo! subdomain. All databases are still exposed. POC and plain-text passwords ‪#d33ds‬.co

Yahoo claims only a very small percentage of the compromised email addresses had current passwords (less than 5%), but that doesn't excuse its failure to protect its users.

Here's CNET's rundown of what happened, including recommendations to change your password anyway, even if you think you are safe, because the writer doesn't trust Yahoo.

Sucuri Labs tool to check if your email was compromised.

And last but not least, has all the compromised emails listed (no password) on their website for all the spammers and scammers to see. So if you want it removed, you need to email them at with "yahoo removal request" in the subject line. However, it needs to emailed from the email in question. They too have a search tool, so not sure what possessed them to publish the addresses as well.

I never signed up for Yahoo Voices, and was never given the option to opt out when Associated Content was purchased by Yahoo. This is a major problem when companies buy out other companies and all your information goes with it. Between Google and Yahoo, they now own the Internet.

But I'm getting sick and tired of thinking up new passwords every 6 months!


Bookdrawer said...

Thank you for the helpful information. I was informed by Google about this and had to change that password but I also changed all my other ones just to be safe including my email(s).

Incognito said...

You are very welcome.

And yes, better safe than sorry, as the old cliche goes.