Yahoo Password Breach: 7 Lessons Learned
What should businesses, users, and regulators take away from the Yahoo password breach? Start with encryption for all stored passwords.
Recently, an attacker uploaded a subset of hashed passwords from LinkedIn to an online security forum, requesting help with cracking them. That was swiftly followed--apparently, by the same attacker--with similar requests for passwords purloined from dating website eHarmony and music-streaming website Last.fm.
More Security Insights
- How Attackers Identify and Exploit Software and Network Vulnerabilities
- Getting a Grip on Mobile Malware
- The 451 Group Impact Report: Skybox Enters Vulnerability Management Space
- Skybox Security Vulnerability Management Survey
This week, question-and-answer website Formspring said that 420,000 of its users' passwords had been compromised, leading the company to reset passwords for all 28 million users. Meanwhile, a hacker or hacking group known as D33Ds Company leaked about 450,000 email addresses and passwords associated with Yahoo Voices, formerly known as Yahoo Contributor Network. The motivation, according to D33Ds, was simple: it was sending "a wake-up call" to whoever was in charge of Yahoo Voices about the need to get serious about security.
[ Read 7 Tips To Toughen Passwords. ]
What could Yahoo--and by extension any company that has consumer passwords to protect--do better? Here are seven best practices:
1. Confirm breaches quickly. Where Yahoo and Formspring are to be commended is in the speed with which they confirmed their password breaches and instituted a fix, all of which happened in less than 24 hours. According to Yahoo spokesman Jon White, "We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users, and notifying the companies whose users accounts may have been compromised."
Formspring, however, went one step better, by providing details about the exact improvements made. "We were able to immediately fix the hole and upgraded our hashing mechanisms from SHA-256 with random salts to Bcrypt, to fortify security," said Formspring CEO Ade Olonoh in a blog posted Wednesday.
2. Watch for fast-moving SQL injection attacks. D33Ds said it breached Yahoo by using a union-based SQL injection attack. Security experts said attackers prefer this type of attack for its ability--when successfully executed--to rapidly retrieve large amounts of sensitive data.
"Not all SQL injection attacks are equal. Some can be more destructive than others," said Kyle Adams at Mykonos Software--part of Juniper Networks--in a blog post. "This [type of] attack enables the attacker to extract extremely large chunks of data in a very short amount of time. It's the difference between requesting each password one at a time (normal SQL injection), letter by letter (blind SQL injection) or requesting hundreds of passwords in one shot (union-based)."
3. Beware third-party security. Last year, one of the more than a dozen data breaches involving Sony involved hackers accessing what the consumer electronics giant said was "an outdated database from 2007." Likewise, the breached Yahoo database appears to have come from a company acquired by Yahoo, which means that the database wouldn't have been covered by Yahoo's own system development lifecycle (SDLC) practices. But that should have led Yahoo to at least protect the acquired systems with a Web application firewall (WAF), according to security experts, to help block SQL injection attacks.
"This attack highlights the challenges of security with third-party applications," said Rob Rachwald, director of security strategy at Imperva , in a blog post. "The attacked applications [were] probably acquired by Yahoo! from a third party, Associated Content. It's very challenging to have an effective SDLC with third parties. Therefore, you need to put them behind WAF."
4. Require strong passwords. The breach also shows that Yahoo--or else Contributor Network, if the passwords date from before the company's acquisition by Yahoo--failed to require users to select strong passwords. According to an analysis published by Swedish security expert Anders Nilsson at Eurosecure, the top five most-selected passwords were "password," "123456," "12345678," "1234," and "qwerty."
Of course, people's password selection is irrelevant if, as in the case of the Yahoo breach, the password database isn't even properly secured. Likewise, in the case of the LinkedIn breach, the apparent use of an outdated encryption algorithm, and a failure to salt the passwords--meaning, adding a unique value to each one before encrypting it--meant that even the strongest passwords could be cracked offline, given a bit of time.
5. Businesses, get serious about passwords. Any business or government agency that stores users' passwords needs to do a better job of not just deleting password databases, but ensuring they're actually secure. Indeed, based on a review of the leaked data, Imperva's Rachwald said Yahoo apparently "stored the passwords both ... encrypted (AES_passwd) and in clear text (clear_passwd) which, of course, makes the encryption useless." Coming on the heels of the LinkedIn, eHarmony, and Last.fm breaches, Rachwald dubbed the Yahoo breach as yet "another epic password fail." When will companies learn?
6. Consumers, practice tough love. Until businesses do learn, the rule for consumers is simple: Don't trust any site that requires a password to keep it safe. Accordingly, use unique passwords for every website, so attackers can't reuse credentials stolen from one site, such as Yahoo, to access an account tied to the same email address on another site, such as PayPal. Also consider changing passwords with some frequency, in case prior versions of password databases should get exploited. Finally, consider that not all password breaches come to light, and the situation might be even worse than it appears.
Editor's note: Corrected spelling of D33Ds hacker group.
Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity issue of Dark Reading shows how to strengthen them. (Free registration required.)