mailto: blog -at- heyrick -dot- eu
Compromised - it wasn't me!
Yesterday I reported that a spammy message was sent to odd-looking names from my "address book", sort of. The list of names didn't match any that I had stored in any of my devices, but it seemed to be ones that I have emailed at some stage. My guess, based upon the names, was that Yahoo!'s webmail may have been compromised; but I didn't want to come right out and say that with no sort of proper evidence.
My hat off to Mick who did a little bit of detective work and turned up a story that I managed to miss. Surely it was on The Register? I dunno...
Some selected quotes from the article:
And, now, paydirt. This one explains exactly what I was suspecting and why I thought it was Yahoo! webmail that had been compromised:
- Firm admits 'coordinated attack' - but refuses to say how many of its 237 million accounts are affected
- Yahoo said it believes the usernames and passwords weren't collected from its own systems, but from a third-party database. (WTF? Third party database?!?)
- The firm said it would contact affected users, but has not revealed how many are thought to be at risk. - guess you missed me, Marissa.
- 'The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.'
Unanswered questions - obviously - are:
- What was a third party doing with this data (unless by "third party" they mean the NSA)
- There just isn't enough invective in the world to curse at the sheer stupidity of storing passwords as clear text. If they could be lifted from a database, they were readable. This isn't some mom&pop outfit from the mid '90s, this is one of the world's major email providers. The password should have gone through a one-way process resulting in a numerical value. Better yet, make the process specific to each user (incorporate part of the username, for example) and merge in the password length. In that way, recovery of the hash would need not only for the process to be known, but also a password table generated for each user in turn, and if the password length is used, then not only does the dictionary attack need to come up with a matching word per user, it also needs to be the correct length.
Look, this isn't hard. Or computationally expensive. The process is performed once when the user sets/changes their password, giving a number. Which is stored in the user account data. When the user comes to sign in, the process is performed upon the password that they enter. This, too, results in a number. It's a basic equality test - does this number just calculated match the number stored for this account? Yay or nay. Grant access or say sod off. It is EASY. Really.
I have written a server. It is not intended to be secure, but it does exactly this (only without the password length part; but I'm never going to have 237,000,000 users). Only a total effing twat would, in this day and age, store passwords in any sort of readable form.
Yahoo! - YOU. FAIL. COMPLETELY.
Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.
|David Pilling, 1st October 2015, 03:04|
A year or two back, yahoo accounts getting hacked was common - moderating various 'lists I got to see the effects. I always wondered why yahoo, what was it about that system. Might be that it was big enough to attract hackers. 237 million is enough that any guess for a password is likely to be right for someone.
|VinceH, 1st October 2015, 12:17|
I would say "Wow, what a massive fail!" but the first word suggests surprise.
These days, I am not surprised by any security breach.
Which is sad.
List all b.log entries
Return to the site index
PS: Don't try to be clever.
It's a simple substring match.
Last read at 13:17 on 2020/07/08.
© 2015 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.