7 Lessons Learned from Yahoo’s (and Other) Password Breaches

Password breaches are not only a major headache to deal with, they affect productivity, potential data loss, and other security issues for individuals and businesses alike. In a recent Information Week article, author Mathew Schwartz writes, “Stop the password breach madness: If it seems as if every week brings a new password breach to light, that’s because hackers have been hard at work, releasing passwords with aplomb.”

The bottom line: hackers and cyber terrorists continue to steal passwords from some major online players, including LinkedIn, Formspring and Yahoo. Here are the highlights:

  • LinkedIn: An online attacker cracked a subset of hashed passwords from LinkedIn. The same attacker, according to reports, also stole passwords from eHarmony and Last.fm.
  • Formspring: The question-and-answer Website revealed that 420,000 of its users’ passwords were compromised. The company reset passwords for all 28 million users.
  • Yahoo: Hacking group D33Ds Company leaked approximately 450,000 passwords and e-mail addresses for Yahoo Voices. According to Schwartz, D33Ds was sending “a wake-up call” to executives at Yahoo Voices about getting serious about security.

So what could Yahoo, or any company, do to better protect its passwords? According to Schwartz, there are seven best practices to follow:

1. Confirm breaches as fast as possible. Confirming password breaches and implementing a solution should happen in less than 24 hours. Also provide details about any improvements made.

According to Yahoo spokesman Jon White, “We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users, and notifying the companies whose users accounts may have been compromised.”

2. Be on the lookout for fast-moving SQL injection attacks.
D33Ds revealed it breached Yahoo by using a union-based SQL injection attack. “Not all SQL injection attacks are equal. Some can be more destructive than others,” said Kyle Adams at Mykonos Software — part of Juniper Networks — in a blog post.

3. Watch out for third-party security. In 2011, one Sony data breach involved hackers accessing “an outdated database from 2007.” Also, the Yahoo database was said to have come from a company acquired by Yahoo. In that case, Yahoo should have protected the acquired systems with a Web application firewall to help block SQL injection attacks.

4. Require strong passwords. According to Swedish security expert Anders Nilsson at Eurosecure, the top five most-selected passwords are “password,” “123456,” “12345678,” “1234,” and “qwerty.” But password selection becomes almost irrelevant if the password database isn’t properly secured in the first place.

5. Businesses must place priority on passwords. Any organization that stores user passwords must do a better job of making password databases secure.

6. Consumers, take caution. Consumers should not trust any site that requires a password to keep it safe. To overcome these deficiencies, consumers should use unique passwords for every Website. This prevents attackers from using the password to any other site connected to the original site.

7. Regulators must crack down. Fines might motivate businesses to improve security practices.

For more information about lessons learned from the Yahoo password breach, visit: http://www.informationweek.com/news/security/attacks/240003692