Saturday, July 21, 2012

Half a million clear text passwords hacked on Yahoo

Recently it was reported that Yahoo had almost a half a million passwords hacked.  That is bad enough, but what is worse is that the hack exposed clear text passwords!  Really???  To quote tennis great John McEnroe. "You can't be serious!"

I understand that the code came from a company they acquired but that doesn't matter at all to me and is simply no excuse.  To me, that only strengthens the case for short selling the stock (not to mention 5 CEO's in 5 years)...  They clearly didn't do any technical due diligence.  While a full blown review of the code they were buying might have been overkill, you sure do think they would have found that the passwords were being stored in clear text...

Unfortunately password hacks seems to have been a theme lately (i.e. LinkedIn, eHarmony, etc.).   LinkedIn got a lot of grief for not salting their password hash. Apparently these developers aren't even advanced enough to know how to hash a password let alone salt it. 

A whole host of questions pop into my mind after reading this.  Here are a few.

  • Do you know what your cloud vendor is doing?  
  • Are they storing your password hashed? 
  • Is your sensitive data (i.e. credit card numbers) stored encrypted? 
  • Do they have off-site back up that is encrypted?  
  • Are their employees screened? 

Link to posting on CNN Yahoo

1 comment: