Yahoo Mail hacked

Vitaliy_Kiselev

Security attacks are unfortunately becoming a more regular occurrence. Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts.

Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise.

May I ask question? Please...

What exactly is "third party database with all names and plain passwords stored"? You mean ones provided daily to your friends in NSA and FBI?

As I fail to think about any other reason providing all this information to third party.

kurth

@Vitaliy

...actually, I think you are like a "3rd party database" albeit a small version. This is probably a case where people are dumb enough to register somewhere where security isn't an issue, using their email addresses , and then use the exact same password there as used on their email accounts, or worse , even their banks accounts !

When a particular "3rd party database" is breached, then they can use the email account names and the passwords from that site, to see which passwords might be the same. I think that's what it's saying. Although as well a 3rd party database might be government, those would be much more difficult to breach, and wouldn't make much sense to do so just to get into some yahoo accounts. As well as the risk of being tailed in the process !

Vitaliy_Kiselev

...actually, I think you are like a "3rd party database" albeit a small version. This is probably a case where people are dumb enough to register somewhere where security isn't an issue, using their email addresses , and then use the exact same password there as used on their email accounts, or worse , even their banks accounts !

If you read their press release it is not the case, and makes no sense at all.
Especially that no sane software store plain (or even encrypted, as Adobe) passwords. At least on PV we don't have any.

Although as well a 3rd party database might be government, those would be much more difficult to breach, and wouldn't make much sense to do so just to get into some yahoo accounts.

You are wrong on both cases. First, it is more easy to breach as they are loosing thousands of notebooks. Second, email accounts with passwords can be simply sold on market to spammers and virus authors (they just send all contacts specially made emails with virus that people open as they trust old friend).

LongJohnSilver

I always thought that hashes should be saved instead of passwords but I see that they are not secure too. A nice article explaining problem involved saving password or hashes.

http://dustwell.com/how-to-handle-passwords-bcrypt.html

Vitaliy_Kiselev

@LongJohnSilver

It is good to understand that such things as bcrypt enable different kind of attacks on sites. As function is slow you can develop very advanced DDOS using small resources.

LongJohnSilver

Got it, so no way to securely store password intrinsically. It's the overall architecture that must be secure. And of course, form the user point of view not using "password123"

LongJohnSilver

It's incredible that Sony had the plain password stored on their DB... Who knows which algo used Adobe. I had to change my password on several sites...

Vitaliy_Kiselev

It's incredible that Sony had the plain password stored on their DB... Who knows which algo used Adobe. I had to change my password on several sites...

Some firm made development and subcontracted someone and they subcontracted someone and no one know how it works.

Howdy, Stranger!

Categories

Tags in Topic

Top Posters