Yahoo Hacked, 400K Unencrypted Passwords Compromised
A hack into a Yahoo server has resulted in a breach of over 400,000 email and password pairs. The hack was performed by a group known as D33Ds and affected one or more servers from Yahoo Voices. Voices is a crowd-sourced publishing platform that allows users to contribute articles through the Yahoo Contributor Network. Yahoo has said it is investigating the alleged breach, but has not provided any official confirmation or denial of the report, according to a Washington Post story.
Breaking and Entering
While there is little detail of the facts, the reports suggest at least two surprising items. First, the breached credentials were reportedly stored as "clear text." Clear text means that the credentials--the username and corresponding password--were not encrypted, a process using software that scrambles and protects sensitive information. Second, the hackers used a method known as a "SQL injection." SQL injections are common hacking methods that attempt to confuse software programs into exposing information that is intended to be protected.
The credentials contained email addresses from domains including Yahoo, Google's Gmail, and AOL. Repeated attempts to follow a link reported to reveal and examine the breached information resulted in a message stating "High Traffic - Give Us A Sec."
Key Reasons to Encrypt and Test Systems
The details of this story are still developing. If the situation is as reported and sensitive user credentials were not encrypted, it will be an embarrassment for the already struggling company. For midsize businesses, there are simple, yet powerful lessons to be learned from this situation.
Encryption software and computer algorithms have existed for many years. While encryption was once an expensive and complicated process, numerous choices and options exist. Some hardware providers are now including encryption as standard. The point is that protecting sensitive information is not only easy, it is an implicit expectation of users, and often an explicit promise of organization.
Sensitive information, such as credentials, social security numbers, or credit card information are expected to be protected. Users trust that organizations will provide ample protection for their valuable information. When organizations do not protect users' sensitive information--particularly when it is an expected and easily accomplished task--users will leave, and often quite quickly.
SQL injection flaws are a well-known manner by which hackers attack protected web-based information. Security investigators find that SQL injections are behind many breached systems. Security groups like OWASP have highlighted the urgency of such attacks using preach-and-teach methods to help organizations test and close such security weaknesses. Numerous sources exist for testing and improving software coding and security, as was highlighted in a recent Midsize Insider article on software security.
For midsize companies and their IT teams, it's important to realize that hacks can, and do, happen. Hackers have sophisticated tools and methods. Security and security teams are often not involved or involved late in the process of fielding and testing new web-based tools and products. But while hackers may find ways into your environment, two critical security skills are to close well-known weaknesses and to build early warning systems that quickly alert when hackers come knocking at your system's doors.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.