In a statement tweeted late Thursday, Yahoo confirmed that an “older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised yesterday, July 11.” Yahoo acquired Associated Content in 2010, and changed its name to Yahoo Voices in 2011.
“We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to all affected users”, Yahoo said.
Security researchers have been eager to opine on the password breach at Yahoo and other recent high-profile breaches.
“Web applications continue to be seen as a soft target by cyber criminals looking to sell passwords on the black market. Passwords are of value when associated with an email account”, commented Chris Petersen, chief technology officer and cofounder of LogRhythm.
“Because users often use the same password across different accounts, cyber criminals might be able to access other sites, company networks, and banking accounts if they can successfully map the compromised email address to the individual that owns it”, he stressed
“Organizations must start doing a better job of implementing web application defenses if they want to avoid being the next Yahoo. Perimeter defenses…operate largely on the premise they can detect what is known. To have a chance detecting what is not known, additional monitoring and response approaches must be employed. For example, by analyzing web server logs and network activity patterns, attacks that evade perimeter defense can still be detected and defended against”, he added.
Paul Ayers, vice president EMEA at encryption firm Vormetric, lamented: “Yet again the world's media is focused on another household name falling victim to a large scale data breach….this isn't the first large brand that we've seen fall victim to a security breach, and it won't be the last.”
Ayer agreed with Petersen about the inadequacies of perimeter defenses. “Servers hold the crown jewels of enterprise information, such as databases, and organizations need to ensure the security and access control of that server data. For databases in particular, a combination of encryption and database activity monitoring ensures organizations can rest assured that no matter how or where data exists on systems, or whoever's hands it falls into, that information remains secure."
An analysis of the Yahoo plaintext passwords by Scandinavian security researcher Anders Nilsson found that the top three passwords were “12345”, “password”, and “welcome”.
Commenting on the poor password practices of many online users, Tony Anscombe, internet security expert at AVG, said: “We believe the traditional password is dead and we should try to avoid using traditional passwords that might have been based on your name, your pet’s name or even your birthday. Our predisposition to use easy-to-remember words or numbers with a linear base as in 1,2,3,4 or even 5,6,7,8 has to change....Users should look to move onward from the simple password and start to look at more sophisticated groups of characters or passphrases.”