[Macworld]

Post your comments for Hackers publish emails, passwords from Yahoo service here

[TeaEarleGreyHot]

Sure would be nice if this story, or one of the linked stories, or one of the stories the linked stories link to, would actually give us the URL of the listing, so we could check to see if we've been compromised.

I really hate these "the sky is falling" articles that amount to not much more than scare-mongering, when the key information is omitted.

[Martian]

I absolutely do not mean to minimize the impact of this breach, but the article's stats on the number of dumb passwords do include those who have Yahoo throw-away accounts. When I log into my Yahoo account—probably twice a year—when looking for a specific response from someone I don't trust with my real email, I marvel at the over 1000 spams in the inbox.

[wardoggie]

TeaEarleGreyHot, on 12 July 2012 - 08:29 AM, said:

Sure would be nice if this story, or one of the linked stories, or one of the stories the linked stories link to, would actually give us the URL of the listing, so we could check to see if we've been compromised.

I really hate these "the sky is falling" articles that amount to not much more than scare-mongering, when the key information is omitted.

Is it possible that the website might be hacked and visiting it might open you up to more malware? Also, I am not sure this qualifies as a "sky is falling" article. The third paragraph states that the hackers are not publishing details of the hack (but some researchers have filled in some blanks). Sounds like either a hacker group trying to gain street cred or pushing the limits of gray hat hacking.

[wardoggie]

Martian, on 12 July 2012 - 09:15 AM, said:

I absolutely do not mean to minimize the impact of this breach, but the article's stats on the number of dumb passwords do include those who have Yahoo throw-away accounts. When I log into my Yahoo account—probably twice a year—when looking for a specific response from someone I don't trust with my real email, I marvel at the over 1000 spams in the inbox.

It's not just Yahoo accounts.

Quote

The exposed log-in credentials don’t only include yahoo.com email addresses, but also email addresses from other public and non-public email providers.

Edit: hit the wrong button and posted instead of previewed. Anyway, regardless of whether the account is a throwaway or not, I think the hack was intended to show a vulnerability in Yahoo's system, not reveal how many people use weak passwords.

This post has been edited by wardoggie: 12 July 2012 - 09:22 AM

[leicaman]

Regardless of their motives, the hackers should be jailed if found. They are at best hypocrites when they post people's usernames and passwords, whether the passwords are secure or not.

This post has been edited by leicaman: 12 July 2012 - 09:52 AM

[Jeremy]

"In a statement published by TechCrunch, Yahoo representatives confirmed a breach that hit the site's Contributor Network (previously Associated Content) on Wednesday. The stolen data was contained in an "older file," and only about 5 percent of the exposed credentials were still valid on Yahoo."

http://arstechnica.c...service-hacked/

And a searchable list of usernames compromised is here:

http://dazzlepod.com/yahoo/

[TeaEarleGreyHot]

Jeremy, on 12 July 2012 - 10:05 AM, said:

...Yahoo representatives confirmed a breach that hit the site's Contributor Network (previously Associated Content) on Wednesday. The stolen data was contained in an "older file," and only about 5 percent of the exposed credentials were still valid on Yahoo."

http://arstechnica.c...service-hacked/

And a searchable list of usernames compromised is here:

http://dazzlepod.com/yahoo/

Did Yahoo take any action to notify the 5%? As has been pointed out, people often use the same password elsewhere, and it is highly likely that even if 95% of the data was no longer valid on Yahoo, that it is STILL valid elsewhere, using the combination of email and password. Since Yahoo knows it was their data that was stolen, I think they have an obligation to notify their users. I don't recall that Yahoo's privacy policy indicates that when a user changes their password or closes their account, that Yahoo becomes free to publicly distribute that users private information. Doesn't their obligation to protect their users extend beyond the users affiliation with Yahoo? Imagine if your doctor suddenly felt no obligation to protect your medical files just because you quit visiting him/her and selected a new physician! It's essentially extortionist to suggest that switching doctors releases the first doc from confidentiality requirements. Similarly, switching internet companies doesn't release Yahoo from the obligation of protecting your information that they collected while you were their customer.

Thank you, Jeremy, for posting the link to the searchable list of usernames that were compromised. It should have been included in the Macworld article, IMO.

[wardoggie]

TeaEarleGreyHot, on 12 July 2012 - 10:22 AM, said:

Thank you, Jeremy, for posting the link to the searchable list of usernames that were compromised. It should have been included in the Macworld article, IMO.

Yeah, good job, Jeremy!

[izzi1s]

The only negative issue due to posting the violated email accounts is the fact that now anyone can go in there and try accessing them. Lets try "1234567" or "password". It would have just been better to only have the box where you can type your own user id vs that and the listings.

[TeaEarleGreyHot]

izzi1s, on 13 July 2012 - 06:29 AM, said:

The only negative issue due to posting the violated email accounts is the fact that now anyone can go in there and try accessing them. Lets try "1234567" or "password". It would have just been better to only have the box where you can type your own user id vs that and the listings.

Anyone can go in there.... yes... whereas you would rather the information was limited just to the criminals. Brilliant.

[wardoggie]

TeaEarleGreyHot, on 13 July 2012 - 08:36 AM, said:

izzi1s, on 13 July 2012 - 06:29 AM, said:

The only negative issue due to posting the violated email accounts is the fact that now anyone can go in there and try accessing them. Lets try "1234567" or "password". It would have just been better to only have the box where you can type your own user id vs that and the listings.

Anyone can go in there.... yes... whereas you would rather the information was limited just to the criminals. Brilliant.

Well, I think the point was that now, criminals AND people who don't have hacking skills can start to mess with the account-holders, slightly increasing the chances of mischief.