If it’s a day ending in Y, then there must be another password leak. And today it’s Yahoo’s turn in the spotlight, as the company is investigating claims that more than 400,000 plaintext passwords were stolen from the company and posted online. Security researchers who have looked at the data say that it appears that the passwords came from the company’s VoIP service.
The reports of a possible leak of some Yahoo account passwords began surfacing late last night after a group calling itself D33d Company posted a large dump of what it said were user passwords in plaintext. The AP is reporting that Yahoo officials are investigating the alleged leak, which researchers say includes more than 442,000 entries.
One researcher from security firm Eset analyzed the entries in the password dump and found that, like a lot of large collections of passwords, many of the passwords users selected are distressingly simple. More than 1,600 of the passwords are “123456” and another 780 are “password”. Because many people tend to re-use passwords on multiple sites, researchers say that this kind of breach can be doubly dangerous.
“Since all the accounts are in plain-text, anyone with an account present in the leak which also has the same password on other sites (e-mail, Facebook, Twitter, etc), should assume that someone has accessed their account,” said Anders Nilsson of Eset.
News of the Yahoo password leak comes just a day after more than 400,000 password hashes from Formspring customers were posted online. That attack was different in that the files posted were hashes, not the plaintext passwords. The fact that the attackers who claimed to have compromised Yahoo were able to get plaintext passwords implies a deeper level of penetration into the company’s network.
Last month there was a major password breach at LinkedIn, which resulted in more than 6 million users’ passwords being compromised and one of the victims eventually suing the company over the breach.