Yahoo sub-domain compromised – 456k passwords dumped

 

Rumors are running around in a few places that a Yahoo! web property was hacked via SQL injection. Looking at the dump file there are a few clues that it is in fact from Yahoo. This will, no doubt cause many users headaches. Here are some statistics of interest that use culled from the dump with Pipal:

Top 10 passwords
123456 = 1667 (0.38%)
password = 780 (0.18%)
welcome = 437 (0.1%)
ninja = 333 (0.08%)
abc123 = 250 (0.06%)
123456789 = 222 (0.05%)
12345678 = 208 (0.05%)
sunshine = 205 (0.05%)
princess = 202 (0.05%)
qwerty = 172 (0.04%)

Password length (count ordered)
8 = 119135 (26.88%)
6 = 79629 (17.97%)
9 = 65964 (14.88%)
7 = 65611 (14.81%)
10 = 54762 (12.36%)
12 = 21733 (4.9%)
11 = 21224 (4.79%)
5 = 5325 (1.2%)
4 = 2749 (0.62%)
13 = 2663 (0.6%)
14 = 1502 (0.34%)
15 = 844 (0.19%)
16 = 575 (0.13%)
3 = 303 (0.07%)
17 = 267 (0.06%)
20 = 187 (0.04%)
18 = 133 (0.03%)
1 = 118 (0.03%)
19 = 99 (0.02%)
2 = 72 (0.02%)
21 = 23 (0.01%)
28 = 23 (0.01%)

Single digit on the end = 47445 (10.71%)
Two digits on the end = 73663 (16.62%)
Three digits on the end = 31106 (7.02%)

Last number
0 = 17608 (3.97%)
1 = 46705 (10.54%)
2 = 24635 (5.56%)
3 = 29233 (6.6%)
4 = 17712 (4.0%)
5 = 17413 (3.93%)
6 = 17899 (4.04%)
7 = 20403 (4.6%)
8 = 17863 (4.03%)
9 = 19922 (4.5%)

Other interesting stats:
.gov: 158
.mil 446
gmail.com: 106,909
yahoo.com: 138,837
hotmail.com: 55,178
aol.com: 24,731

No word yet on if the passwords were hashed or sitting in the DB in plain text.

I feel like 2012 is becoming the year of the high-profile password dump. I’ve had more and more non-security people ask me how I store my passwords. First, just about every web site and service I use has a different password. Second, I am big fan of KeePassX. It’s easy, open source (and well scrutinized), and available on any platform that I need it to be on. I also use two-factor on those sites that offer it (e.g. Google, Facebook, etc.)

-Trevor
@packetwerks

Follow us: @stratumsecurity

One Comment

MJ July 12, 2012

You’d think with LinkedIn having suffered almost the same type of breach < 1 month ago, companies like Yahoo with 10's of millions of users would self assess at least to harden their defenses. Yahoo is perhaps one of the last companies I'd have thought would store passwords in cleartext, but chances are there are plenty such companies just sitting around and waiting to be victimized and embarrassed.

Reply
 

Leave a Reply