The Latest in IT Security

Analysis of Yahoo Voice Password Leak – 453,441 Passwords exposed

12
Jul
2012

We recently heard that a massive leak of Yahoo passwords have been floating on the interwebs for a few days. According to arstechnica the dump is from Yahoo Voice and the full data was released in clear-text (yes, clear text in 2012). It seems they were not storing the passwords securely.

We got access to the dump and we can confirm that this leak is valid. We can not confirm it is from Yahoo, because the password analysis do not have many “yahoo’s” on it (we explain later). However, we recommend all Yahoo users to change their passwords asap! Specially on other services that you are reusing passwords. Better safe than sorry.

Yahoo Leak Analysis – Overview

The link contain the password for 453,411 Yahoo Voice accounts, from which 342,481 are unique.

Unique accounts: 453,411
Unique passwords: 342,481

The accounts are from multiple email providers, including Yahoo, Gmail, Hotmail and others. This is the list of where most accounts were:

135599 yahoo.com
106185 gmail.com
54393 hotmail.com
24677 aol.com
8422 comcast.net
6282 msn.com

There is also passwords from multiple .GOV and .MIL addresses, which can be very dangerous if their users were reusing passwords:

[number of accounts] [domain]
160 us.army.mil
64 gamil.com
28 navy.mil
18 usmc.mil
5 education.nsw.gov.au
4 jocogov.org
3 utah.gov
3 usdoj.gov
3 ssa.gov
3 schools.nyc.gov
3 ky.gov
3 irs.gov
3 gsa.gov
3 dc.gov
2 va.gov
2 usps.gov
2 tucsonaz.gov
2 salemct.gov
2 police.vic.gov.au
2 okc.gov
2 nasa.gov
2 mt.gov
2 med.va.gov
2 hud.gov
2 ed.gov
2 dmh.mo.gov
2 dhs.gov
.

Leak Analysis – Password Analysis

A lot of users were using weak passwords, with “123456″ and “password”, being the most common. Those were the top used passwords:

[number of accounts] [password]
1666 123456
780 password
437 welcome
333 ninja
250 abc123
222 123456789
208 12345678
205 sunshine
202 princess
172 qwerty
164 writer
162 monkey
161 freedom
160 michael
160 111111
140 iloveyou
139 password1
134 shadow
133 baseball
132 tigger
131 1a1a1a1b
126 success
121 blackhatworld
111 jordan
110 whatever
109 michelle
107 dragon
106 superman
106 purple
106 1234567
103 ashley
101 associated
101 123123
100 ginger
100 babygirl
99 maggie
98 computer

Yes, it is a sad day when you see users using “password” and “123456″ as their account passwords.

The size distribution is interesting, with 26% of the accounts using a password with 7 characters in size.

1 Character: 116 accounts
2 Characters: 69 accounts
3 Characters: 301 accounts
4 Characters: 2747 accounts
5 Characters: 5322 accounts
6 Characters: 65,600 accounts
7 Characters: 119,125 accounts
8 characters: 65,957 accounts
9 characters: 54,755 accounts
10 characters: 21,218 accounts
11 characters: 21,729 accounts
12 characters: 2,656 accounts

I can’t see why Yahoo would allow passwords so small (with 1 or 2 characters), but some people were using them. The longest password in the dump had 30 characters and only 294 accounts had a password with more than 20 characters.

What is interesting is that only 104 accounts had “yahoo” as part of the password. That’s strange, since we would expect this number to be a lot higher on a Yahoo leak:

[number of accounts] [password]
8 yahoo
7 yahoo123
6 yahoomail
4 yahoos
4 yahoo1
3 yahooman
2 yahooo
2 yahoocom
2 yahoo111
2 yahoo009
1 yahooyourself12
1 yahooyahoo
1 YAHOOWIISOL
1 yahoous

Because of that we can’t confirm the dump is indeed from Yahoo, but interesting nonetheless. We will post more details when we have them.

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments