Yahoo Puts the ‘Duh!’ in Dumb, Gives Away 400K Customer Passwords
Yahoo! committed a security blunder of epic proportions when it stored password data on hundreds of thousands of its users without encryption. Even worse, the data leaked, and it also included information on Gmail, AOL, Hotmail, Comcast, MSN, SBC Global Verizon, BellSouth and Live.com users. D'oh.
By Constantine von Hoffman, CIO
Yahoo! didn’t have 400,000 user passwords stolen as much as it gave them away, at least if reports on the subject are to be trusted
The company, which could have a hard time figuring out how to make popcorn, stored the data without encryption.
Despite this glaring security blunder, the company said in a statement, “At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products.”
Yahoo! attempted to downplay the incident by claiming the leaked information belongs to Yahoo Voices, a self-publishing service once known as Associated Content, and that less than five percent of the Voices accounts had still-valid passwords.
Attention: Your security is only as good as its weakest link.
The dumped account information also included account information on Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users. Security researchers at Rapid7 found data on roughly 106,000 Gmail accounts, 55,000 Hotmail accounts and 25,000 AOL accounts.
Here are some quotes to demonstrate just how moronic this was:
“Yahoo failed fatally here. … I mean, this is Yahoo we’re talking about. With the security policies it has in place for its other sites, it should have known to at least put up a firewall to detect these kind of things.” — Anders Nilsson, security expert and chief technology officer of Scandinavian security company Eurosecure.