X

Yahoo's password leak: What you need to know (FAQ)

Yahoo is the latest online service to confirm the disclosure of passwords belonging to throngs of its users. Here's what we know -- and, more important, what you need to do to protect yourself.

David Hamilton Assistant Managing Editor, CNET News
David Hamilton is the assistant managing editor of CNET News. He has been writing and editing business and tech coverage for about two decades -- the majority of that at the Wall Street Journal in both Tokyo and San Francisco. He is a two-time winner of the Overseas Press Club award and has written for numerous magazines and blogs, including Slate, Science, VentureBeat, CBS Interactive's BNET, California Lawyer and the New Republic.
David Hamilton
6 min read
The Yahoo Contributor Network page Screenshot by David Hamilton/CNET

Updated July 13 at 12:17 p.m. PT

Yahoo has just become the latest big online service to suffer a major password breach. While the number of affected users is far smaller than in the last big exposure -- that would be the password hack at LinkedIn last month, which exposed 6.5 million user passwords -- the attack is a big black eye for Yahoo and a potential hazard to the 450,000 or so people whose log-in information is now flapping in the breeze.

So here's CNET's quick guide to the Yahoo password fumble and what you need to do.

What, exactly, went wrong?
A hacker collective calling itself D33Ds Co. publicly posted more than 450,000 log-in credentials -- i.e., paired usernames and passwords -- obtained from Yahoo's "Contributor Network" site. In that data dump, the hackers described their attack as a "union-based SQL injection," which is effectively a way of tricking the database on a poorly secured site into divulging private information.

Which, in this case, yielded a treasure trove of usernames and passwords, apparently all stored in plain text -- itself a fairly significant security failure on Yahoo's part. Passwords are usually cryptographically masked in a process called "hashing" to prevent exactly this sort of mass disclosure.

The file of usernames (predominantly e-mail addresses) and passwords, originally published on a public Web site, has since been widely distributed via BitTorrent and various file lockers across the Internet. In other words, this cat is very much out of the bag.

For what it's worth, the D33Ds hackers claim they released the information to point out lax security at Yahoo, not for malicious purposes. That said, these possibly sensitive passwords are now available to the maliciously minded across the world. So for users, it's better-safe-than-sorry time.

I've never heard of the Yahoo Contributor Network. Am I really in any danger here?
Maybe, maybe not. The Yahoo Contributor Network is, to be honest, sort of obscure. It was originally an independent site called Associated Content -- a content farm that paid users a pittance to publish their written submissions, plus a bonus for any traffic generated. (Such "low-cost content," as it's known in the biz, is basically a lure used to draw search traffic to ads displayed nearby.) Yahoo acquired Associated Content two years ago, reportedly for more than $100 million.

It's not immediately clear whose log-in credentials have been exposed. Yahoo has formally confirmed the password breach, but the online media company didn't elaborate on whose passwords were exposed. (See Yahoo's official statement below.) It does, however, seem highly likely that the exposed passwords mostly belong to Yahoo's contributors themselves -- i.e., the individuals who wrote material for either Associated Content or Yahoo.

One big hint: Quite a few of the e-mail addresses and passwords contain the word "writer." I.e., usernames such as "legalwriter5@yahoo.com" and "honestwriter@hotmail.com," and occasionally aspirational passwords such as "paidwriter" and the wistful "richwriter." Not to mention umpteen-jillion instances of the word "writer" by itself standing in as a password.

So if I've never written for the Yahoo Contributor Network, I'm safe, right?
Possibly -- but you never know.

In its official statement, Yahoo insists that the "file" the hackers "compromised" was an "older" one. (This statement itself is kind of suspect, since the hackers probably didn't just steal a particular file. More likely, they repeatedly poked a Yahoo database until it started spitting out log-in credentials. But I digress.) The company claims that fewer than 5 percent of the Yahoo passwords disclosed are currently valid.

Which all sounds reassuring enough, except that no one with a Yahoo ID has any way to know whether it might have been compromised elsewhere within the site. And, of course, you won't know until either a public-spirited group like D33Ds decides to publish your password -- or you get hacked in a more malicious fashion. (You are free to believe that the hack of the Yahoo contributor network was an isolated incident, and maybe it was. But maybe it wasn't.)

I get the sense you're leading up to something. Go on.
Yahoo's statement, however, is largely silent on the non-Yahoo ID credentials revealed in the D33Ds hack. The published file also contains a huge number of what appear to be log-in credentials for many other e-mail services, including Gmail (106,873 instances), Hotmail (55,148), AOL (25,521) and any number of ISPs (Comcast, Cox, Mindspring, etc.).

Presumably the premerger Associated Content allowed users to use e-mail addresses as their usernames, and Yahoo never forced users to change their log-in to a Yahoo ID. These days, in fact, Yahoo still allows people to sign into the contributor network via Google or Facebook IDs in addition to their Yahoo accounts.

All of which suggests that close to 300,000 people could have just seen their personal, non-Yahoo e-mail accounts compromised as well as their Yahoo accounts. They've effectively just dropped a trail of breadcrumbs to their personal e-mail, since they've identified the service, their username, and -- assuming general laziness on the part of Internet users, which is usually a safe bet -- their password.

Yahoo did say it is notifying these other companies that some of their users' account information may have been exposed. Which is better than nothing, of course.

OK, so how do I know if I'm at risk?
To be on the safe side, if you have a Yahoo ID, you should assume it's no longer secure and change its password. (I just did, and I've never visited Yahoo's contributor-network site until today.) Yahoo is also changing the passwords of affected users.

You should, however, also change other passwords if:

  • You've used the same password for any other major service -- particularly for sensitive accounts such as banking, investing, or e-mail.
  • You've ever signed into Yahoo or Associated Content with a non-Yahoo e-mail address.

Yes, it's a pain. But it only takes a few minutes, and the peace of mind is worth it. You really don't want to find your e-mail account hijacked or your bank account emptied, do you?

If you're one of those folks who likes to live dangerously, you can always call up the file of cracked credentials -- just Google "yahoo-disclosure.txt" -- and see if your e-mail or Yahoo ID is on there. (Alternatively, you can check your email address in this tool from Sucuri Labs.) But a negative result may not actually prove anything, and of course there's no way to know if your password might have been cracked and displayed elsewhere -- at least not until it's too late.

So do the smart thing. Change your Yahoo ID password and any other passwords associated with e-mail addresses mentioned here. Don't come crying to us if you play the odds and bad things happen to you anyway.

Where is Yahoo's official statement on all this?
Glad you asked. It's right here:

At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo and other company users names and passwords was compromised yesterday, July 11. Of these, less than 5 percent of the Yahoo accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users' accounts may have been compromised. We apologize to all affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.

I understand Yahoo has just given the all-clear on this password leak. Is that correct?
It is correct, at least so far as such statements go. Here is Yahoo's July 12 statement, which confirms some of my earlier speculation:

Yahoo recently confirmed that an older file containing approximately 450,000 e-mail addresses and passwords was compromised. The compromised information was provided by writers who had joined Associated Content prior to May 2010, when it was acquired by Yahoo. (Associated Content is now the Yahoo Contributor Network.) This compromised file was a standalone file that was not used to grant access to Yahoo systems and services.

We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo users, enhanced our underlying security controls, and are in the process of notifying affected users. In addition, we will continue to take significant measures to protect our users and their data.

If you joined Associated Content prior to May 2010 using your Yahoo e-mail address, please log in to your Yahoo account, where you may be prompted to answer a series of authentication questions to change and validate your credentials.