On the morning of July 14th, a Saturday, I woke up to find three successive emails in my Gmail inbox. The first, received at 1:56 am, came from the movie site IMDb. The second, sent almost exactly an hour afterwards, was from Yahoo. The third was from Twitter, and it arrived at 3:02 am, just three minutes after Yahoo’s missive. From the subject lines alone, it was pretty clear what had happened.
Days earlier, Yahoo Voices — essentially a content farm that pays users to write short articles for venues such as Yahoo Movies and Yahoo Lifestyle — had suffered a serious security breach. A group of hackers calling themselves the “D33Ds Company” used a relatively simple SQL injection exploit, inserting database instructions in unprotected places, to generate a plain text file containing 453,000 email / password pairs.
I’d read the headlines about the attack when it happened, but hadn’t bothered to look any further, assuming — as most people would — that I wasn’t affected. I’d never signed up for a Yahoo Voices account, so there didn’t seem to be much reason to care. What I didn’t realize was that Yahoo Voices is not an original venture — launched last year, it’s little more than a rebrand of Associated Content, a service acquired by Yahoo in 2010, and which I’d registered for back in 2007. By hook or by crook, the hackers had me.
There’s something viscerally upsetting about seeing your supposedly bulletproof password up in lights
Being investigative by nature (and somewhat paranoid by nurture), I spent the next twenty minutes trying to track down the leaked list. Three days since the initial breach, this wasn’t a particularly arduous task — while the news reports were reluctant to link to the 17MB text file directly, D33Ds Company had a handy site offering a direct link for download. When that went down from the massive levels of traffic, BitTorrent quickly stepped in to fill the gap, as did sites such as Pastebin and Gett, where the entire file is still available.
There’s something viscerally upsetting about seeing your supposedly bulletproof password up in lights, sandwiched between lame phrases like "iloveyou," "publishing" and "babymarvin." This is a word that is supposed to be completely invisible, never printed. Hashed and salted and stored away in some far away data center, it exists, for all intents and purposes, only in the mind of its creator — even when he or she types it in, the only thing that shows up is a small line of anonymous asterisks.
Unfortunately, my password wasn’t quite as secure as I’d hoped. According to Yahoo’s apologetic email, innocuously titled "Notice Regarding Your Associated Content/Yahoo Contributor Network Account," the password dump came from "a standalone file that was not used to grant access to Yahoo systems and services." It’s difficult to understand why Yahoo felt the need to keep an unencrypted list of old email / password pairs — most likely, it was an oversight. But for me and for roughly 450,000 other users, it’s meant a lot of worry.
Even when you know all the rules of password security — always use a combination of uppercase and lowercase letters, numbers, and symbols; avoid dictionary words and meaningful number combinations; above all, never use the same password twice — it’s remarkably easy to consider yourself above it all. For someone who’s never had the stove-touching experience of having a password hacked or leaked, it can be incredibly difficult to work up the will to care — there’s always that familiar word hanging around in the back of your mind and in the muscle memory of your fingers, just aching to be typed. Sure, you used it to sign up for the beta of that new app the other day, but they looked like they had their security under control. Maybe it’s the old password from kool_dude_420@hotmail.com, but you never use that address these days, so what’s the harm?
My word was a patently stupid one: "sports5509betting." Predictably enough, it was the password I used to sign up for the online betting exchange Betfair back in 2007. I’m not particularly interested in sports or betting — I registered the account to place a quick bet on some long-forgotten political event, possibly the Liberal Democrat leadership election in the UK — and the string was conjured out of the prominent words on the signup page, mixed with a number that used be the PIN code for my debit card. (They don’t call me Mr. Security for nothing.)
I wouldn’t be surprised if this password was flagged as “strong” or “secure”
Anyone can see that it’s not a great password. As a classic XKCD issue points out, dictionary words often get an unnecessarily bad rap in the security world, but using just two of them is never going to be particularly effective, even discounting the possible dangers of their being so closely related by semantics. There are no uppercase characters, no symbols, and the numbers come in a solid chunk right between the words. I wouldn’t be surprised if this password was flagged as "strong" or "secure" by Betfair’s built-in checker, but these systems are notoriously unreliable — a blog post from Dropbox engineer Dan Wheeler shows just how inconsistent they can be when confronted by objectively strong passwords that don’t conform to traditional security maxims.
Still, in this case, strength was practically irrelevant. When your password is leaked in plain text, it doesn’t matter whether it’s "password123" or "hj^U£%3ci6gtG&3i876c3GUy" — either way, you’ve got a problem. Thankfully, my foolish reuse of "sports5509betting" was confined to a relatively small number of sites which I’d registered for at around the same time as Betfair. For the most part, it’s a pretty unimportant list: IMDb, AbeBooks, Grooveshark, the Financial Times, the Penguin Books press office, a forum about online poker, and a handful of free hosting providers — but there was one major outlier.
Though I’ve only been tweeting seriously since March 2011, by which point my understanding of password security was slightly more sophisticated than pick-a-few-words-off-the-signup-page, I first registered for Twitter all the way back in April 2007. This makes for a pretty impressive HowLongOnTwitter.com score and a pretty insecure account. Thankfully, I used a separate password for my TweetDeck profile than I did for Twitter itself, meaning that accounts run by various former employers — @psbook, @strategyeye, @webdev360com — remained safe. When Wired's Mat Honan got hacked earlier this month, he wasn’t quite so lucky.
I have no way of knowing whether my Twitter account was accessed
I have no way of knowing whether my Twitter account was accessed. I know that there were approximately three days between the leak and my password being reset, and I know that there were 453,000 juicy email / password pairs for a would-be attacker to choose from, but I have no idea how these numbers fit together. How many people are there with the time and inclination to trawl through hundreds of thousands of login details? Is Twitter even a worthwhile target for a busy scammer? I may have a few embarrassing direct messages stored away in my inbox, but I certainly don’t have any credit card details. Even so, it’s a worrying thought.
As I mentioned at the start of this piece, I first became aware that my password had been leaked when I received a trio of emails — two messages from IMDb and Twitter notifying me that my accounts had been reset and an embarrassed apology from Yahoo. From the timing, it was clear that the three sites had coordinated their efforts. Unfortunately, collaboration creates problems for anyone interested in finding out exactly how the murky business of account security actually works.
If tech companies are reluctant to speak publicly about their own security policies, they’re doubly reluctant to do so when other businesses are involved. Commenting on another company’s data breach opens the door to questions about their handling of the incident, questions which can all too easily lead to accidental grandstanding or embarrassing statements by junior employees. When I asked a Twitter spokeswoman about the incident, she was, understandably, unwilling to provide any information beyond the most basic details of the company’s security practices.
Even Amazon-owned AbeBooks, who managed to send out a password reset email more than 24 hours before Twitter, were reluctant to talk. Not having used my AbeBooks account for a number of years, I passed over their message — titled "Your AbeBooks Account – Important Update Required" — without really noticing it on July 13th, mentally filing it as one of the dozens of update and info emails that my primary account gets on a weekly basis. But, in many ways, AbeBooks’s security efforts were more diligent and effective than those of any other site.
I can’t help but blame the developers and sysadmins who failed to apply rudimentary encryption to a huge list of passwords
"As part of our routine monitoring, we discovered a list of email address and password sets posted online," read the email. Though an AbeBooks spokesman refused to comment on what exactly this "routine monitoring" involves, it seems clear that the site’s security team proactively checks for major password dumps and runs the leaked data up against their own records to identify matches. From a PR perspective, this sort of monitoring is a risk — for every user grateful for having their account secured, there’s likely to be one who misreads the email and blames the whole incident on the messenger. Still, you can’t fault AbeBooks’ motives, and its modest refusal to talk about the process is another mark in its favor.
It’s difficult not to contrast this sort of diligence with the apparently lax security efforts at Yahoo that caused the problem in the first place. As a victim, I can’t help but blame the developers and sysadmins who failed to apply rudimentary encryption to a huge list of passwords far more than the hackers who made the list public. Scouting around the D33Ds Company website in search of a contact link, I stumbled upon a hastily drawn-up statement about the leak — it’s hardly eloquent, but it’s oddly touching in its media naiveté, and says a lot about the group’s ethos.
"We didn't expect to get this much attention," reads the plea — "our sole purpose was to show the public how companies as big as Yahoo handle your personal data. We are sorry if any person(s) was affected by this, but it’s truly shocking passwords are stored in ‘Plaintext’ and proof was provided." The statement ends by criticizing Yahoo’s slowness to patch the issue, accusing the company of "only act[ing] whenever there’s media attention on [their] head."
I’ve felt the force of the blow, but have no bruises or broken bones to show for it
When I got in touch with "TiGER-M@TE," one of the group’s co-founders, I was offered a similar sentiment. "We really focus on finding vulnerabilities in very well known websites / companies," he explained. "Yahoo was a common target for us." He took pains to stress that the group didn’t benefit financially or otherwise from the leak: "We wouldn't expose this, but we felt like people should see what is Yahoo doing with their private information. We released to the public because we wanted other companies to raise awareness, and not for self profit or self gain."
Just over two months after LinkedIn’s embarrassing password slip-up, D33Ds’ is a message that any company in charge of large amounts of private data needs to hear. When a user creates a password, they’re also creating a contract with whichever website or service they’re using, and the security of that password is a shared responsibility. Just as the user is responsible for picking a relatively strong phrase, difficult for an attacker to crack through guesswork or brute force, the host is responsible for storing that phrase in a safe and secure manner. When one party reneges on their end of the deal, it creates problems for both sides.
Ultimately, I’ve been lucky — the Yahoo Voices breach has given me a valuable lesson in online security without the intense pain of having my bank account emptied, or even the mild annoyance of having my Twitter account hijacked. Seeing my unencrypted password pasted across half the internet, I’ve felt the force of the blow, but have no bruises or broken bones to show for it. It’s a little embarrassing to admit how often I reused such a lightweight phrase, but, then again, it was five years ago, and I like to think I’ve become somewhat more creative since then.
Whether my 453,000 fellow-travellers have been as fortunate is another question. What most worries me is the breakdown of both sides of the user-host contract. Yahoo has failed its users in letting their passwords become public — but what actually are those passwords? Taking a page of the file at random: "william," "cocacola," "hanssolo," "steelers," and, you guessed it, "password." In an odd twist of fate, one security issue has shown up another hiding in plain sight.
The failure to protect a database containing hundreds of thousands of passwords is a blunder immeasurably greater than picking an individually bad phrase, but this doesn’t mean that the latter isn’t a blunder all the same. The only way that fraud, cybercrime and plain old griefing are ever going to be seriously tackled is through an eradication of complacency on both sides of the equation. With users like these, who needs hackers?
ß