Rick's b.log - entry 2015/09/30

mailto: blog -at- heyrick -dot- eu

FYI! Last read at 18:53 on 2024/11/21.

Compromised - it wasn't me!

Yesterday I reported that a spammy message was sent to odd-looking names from my "address book", sort of. The list of names didn't match any that I had stored in any of my devices, but it seemed to be ones that I have emailed at some stage. My guess, based upon the names, was that Yahoo!'s webmail may have been compromised; but I didn't want to come right out and say that with no sort of proper evidence.

Well...

My hat off to Mick who did a little bit of detective work and turned up a story that I managed to miss. Surely it was on The Register? I dunno...

Daily Mail: How many Yahoo email passwords have REALLY been stolen?

Some selected quotes from the article:

Firm admits 'coordinated attack' - but refuses to say how many of its 237 million accounts are affected
Yahoo said it believes the usernames and passwords weren't collected from its own systems, but from a third-party database. (WTF? Third party database?!?)
The firm said it would contact affected users, but has not revealed how many are thought to be at risk. - guess you missed me, Marissa.

And, now, paydirt. This one explains exactly what I was suspecting and why I thought it was Yahoo! webmail that had been compromised:

'The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.'

Unanswered questions - obviously - are:

What was a third party doing with this data (unless by "third party" they mean the NSA)

and:

There just isn't enough invective in the world to curse at the sheer stupidity of storing passwords as clear text. If they could be lifted from a database, they were readable. This isn't some mom&pop outfit from the mid '90s, this is one of the world's major email providers. The password should have gone through a one-way process resulting in a numerical value. Better yet, make the process specific to each user (incorporate part of the username, for example) and merge in the password length. In that way, recovery of the hash would need not only for the process to be known, but also a password table generated for each user in turn, and if the password length is used, then not only does the dictionary attack need to come up with a matching word per user, it also needs to be the correct length.
Look, this isn't hard. Or computationally expensive. The process is performed once when the user sets/changes their password, giving a number. Which is stored in the user account data. When the user comes to sign in, the process is performed upon the password that they enter. This, too, results in a number. It's a basic equality test - does this number just calculated match the number stored for this account? Yay or nay. Grant access or say sod off. It is EASY. Really.
I have written a server. It is not intended to be secure, but it does exactly this (only without the password length part; but I'm never going to have 237,000,000 users). Only a total effing twat would, in this day and age, store passwords in any sort of readable form.
Yahoo! - YOU. FAIL. COMPLETELY.

Your comments:

David Pilling, 1st October 2015, 03:04

A year or two back, yahoo accounts getting hacked was common - moderating various 'lists I got to see the effects. I always wondered why yahoo, what was it about that system. Might be that it was big enough to attract hackers. 237 million is enough that any guess for a password is likely to be right for someone.

VinceH, 1st October 2015, 12:17

I would say "Wow, what a massive fail!" but the first word suggests surprise.

These days, I am not surprised by any security breach.

Which is sad.

See the rest of HeyRick :-)

	Rick's b.log - 2015/09/30
It is the 21st of November 2024 You are 18.216.174.32, pleased to meet you!

Rick's b.log - 2015/09/30

Compromised - it wasn't me!

Your comments: