In this case, Yahoo stored its Contributor Network usernames and passwords in plain text, which means the login credentials were immediately intelligible to anyone who broke in.
Security experts say they can tell that the credentials were stored without encryption because many were too long to crack using brute-force techniques.
"Yahoo failed fatally here," said Anders Nilsson, security expert and chief technology officer of Scandinavian security company Eurosecure. "It's not just one specific thing that Yahoo mishandled -- there are many different things that went wrong here. This never should have happened."
Nilsson said Yahoo screwed up on three fronts: The site should have been built more robustly, so it wouldn't have been susceptible to something as simple as a SQL attack. It should have secured users' log-in information, and it should have put the equivalent of trip-wires in place to set off alarm bells when such an easily noticeable break-in occurred.
"I mean, this is Yahoo we're talking about," Nilsson said. "With the security policies it has in place for its other sites, it should have known to at least put up a firewall to detect these kind of things."
Since many people reuse their passwords across multiple websites, Yahoo's security lapse means that all those users' logins are potentially at risk. Even robust passwords are at risk -- the longest password captured in the attack was 31 characters long, which is considered fairly ironclad. However, that password is now attached to an e-mail address and out in the wild for the world to see.
In a written statement, Yahoo said it takes security "very seriously" and is working to fix the vulnerability in its site. It called the captured password list an "older" file, but didn't say how old it was.
The company said it is in the process of changing the passwords of the affected Yahoo users and notifying other companies of their users' compromised accounts.
"We apologize to affected users," the company said in its statement. "We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."
Yahoo did not respond to a request for comment on why the passwords were stored in plain text.
Yahoo's Contributor Network is a small subsection of Yahoo's enormous network of websites. It consists of a group of freelance journalists who write content for a Yahoo site called Yahoo Voices. The Contributor Network was created last year as an outgrowth of Yahoo's 2010 purchase of Associated Content.
The stolen database predated Yahoo's Associated Content purchase, according to Joseph Bonneau, a Cambridge University researcher who once worked with Yahoo on a password analysis study. He no longer has any official relationship with the company.
"Yahoo can fairly be criticized in this case for not integrating the Associated Content accounts more quickly into the general Yahoo login system, for which I can tell you that password protection is much stronger," Bonneau said.
In a statement appended to the list of stolen credentials, the hackers said that their aim was to scare Yahoo into beefing up its defenses.
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call," they wrote. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly."
The Yahoo hack comes a month after more than 6 million passwords were stolen from several sites including LinkedIn (LNKD) and eHarmony. In that case, the passwords were stored cryptographically, but they weren't randomized -- a weak storage system that security experts have been warning against for years.
Though Yahoo is generally viewed as following industry best practices, some security experts were startled when the University of Cambridge's Bonneau was given 70 million Yahoo passwords by the company for analysis earlier this year.
If Yahoo used a "hash" cryptographic tool and "salt" randomization -- both standard security measures -- the company wouldn't have been able to just send along a list of passwords, they pointed out.
"It's very weird," said Nilsson. "They shouldn't be able to do that."
Yahoo did not reply to requests for comment on how the company's passwords are stored
Security experts say they can tell that the credentials were stored without encryption because many were too long to crack using brute-force techniques.
"Yahoo failed fatally here," said Anders Nilsson, security expert and chief technology officer of Scandinavian security company Eurosecure. "It's not just one specific thing that Yahoo mishandled -- there are many different things that went wrong here. This never should have happened."
Nilsson said Yahoo screwed up on three fronts: The site should have been built more robustly, so it wouldn't have been susceptible to something as simple as a SQL attack. It should have secured users' log-in information, and it should have put the equivalent of trip-wires in place to set off alarm bells when such an easily noticeable break-in occurred.
"I mean, this is Yahoo we're talking about," Nilsson said. "With the security policies it has in place for its other sites, it should have known to at least put up a firewall to detect these kind of things."
Since many people reuse their passwords across multiple websites, Yahoo's security lapse means that all those users' logins are potentially at risk. Even robust passwords are at risk -- the longest password captured in the attack was 31 characters long, which is considered fairly ironclad. However, that password is now attached to an e-mail address and out in the wild for the world to see.
In a written statement, Yahoo said it takes security "very seriously" and is working to fix the vulnerability in its site. It called the captured password list an "older" file, but didn't say how old it was.
The company said it is in the process of changing the passwords of the affected Yahoo users and notifying other companies of their users' compromised accounts.
"We apologize to affected users," the company said in its statement. "We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."
Yahoo did not respond to a request for comment on why the passwords were stored in plain text.
Yahoo's Contributor Network is a small subsection of Yahoo's enormous network of websites. It consists of a group of freelance journalists who write content for a Yahoo site called Yahoo Voices. The Contributor Network was created last year as an outgrowth of Yahoo's 2010 purchase of Associated Content.
The stolen database predated Yahoo's Associated Content purchase, according to Joseph Bonneau, a Cambridge University researcher who once worked with Yahoo on a password analysis study. He no longer has any official relationship with the company.
"Yahoo can fairly be criticized in this case for not integrating the Associated Content accounts more quickly into the general Yahoo login system, for which I can tell you that password protection is much stronger," Bonneau said.
In a statement appended to the list of stolen credentials, the hackers said that their aim was to scare Yahoo into beefing up its defenses.
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call," they wrote. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly."
The Yahoo hack comes a month after more than 6 million passwords were stolen from several sites including LinkedIn (LNKD) and eHarmony. In that case, the passwords were stored cryptographically, but they weren't randomized -- a weak storage system that security experts have been warning against for years.
Though Yahoo is generally viewed as following industry best practices, some security experts were startled when the University of Cambridge's Bonneau was given 70 million Yahoo passwords by the company for analysis earlier this year.
If Yahoo used a "hash" cryptographic tool and "salt" randomization -- both standard security measures -- the company wouldn't have been able to just send along a list of passwords, they pointed out.
"It's very weird," said Nilsson. "They shouldn't be able to do that."
Yahoo did not reply to requests for comment on how the company's passwords are stored