Report: Half a Million Yahoo User Accounts Exposed in Breach

By Kim Zetter

Hackers have published half a million login credentials for what appear to be Yahoo Voices user accounts that were stolen from a server.

More than 453,000 login credentials were posted by a hacking group calling itself D33Ds Company, who say the credentials were stored in plaintext, an amateur security blunder. The hackers said, in a note posted online, that they used a SQL injection attack to grab the credentials, but did not say from which Yahoo service they were taken “to avoid further damage.”

But based on a domain hostname that the hackers left in the data (dbb1.ac.bf1.yahoo.com) they posted, researchers have concluded that the credentials appear to have been stolen from Yahoo Voices, a user-generated content service and blogging platform that was formerly part of Associated Content. Yahoo Voices claims on its website that it has “more than 600,000 contributors and growing.”

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the hackers wrote in a note accompanying their disclosure. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”

The page where the hackers originally published the credentials is not currently available, but the credentials have also been posted in a searchable format at Dazzlepod.com, with the passwords redacted. Users who find their credentials on the list can send an email to Dazzlepod requesting that their credentials be removed from the online list. A spokesperson at Dazzlepod, which published the credentials early Thursday morning, says their site has received more than 120 removal requests from account holders so far.

Yahoo said in a statement that it is investigating the breach claim. The breach is the latest in a rash of credential breaches that have occurred in the last few months involving unsecured servers and unencrypted credentials. LinkedIn, eHarmony and Last.fm have all been victims of similar breaches lately.

The attacks highlight the danger of re-using passwords at different websites, as hackers can mine the data and attempt to use the same credentials with more sensitive accounts that users may have, such as online banking and e-mail accounts.

iPads could scan palms for passwords

By Matt Liebowitz

Like palm-activated ATMs and retina-scanning smartphones, tablet computers like the iPad may soon authenticate their rightful users by reading the unique movement of their hands, not their passwords.

Napa Sae-Bae, a doctoral student at the Polytechnic Institute of New York University, is working to build an app that, using multitouch sensors, will biometrically authenticate tablet users' hand gestures. Her goal, she told NextGov, is for the tablet device to recognize its owner's specific biological traits — their hand shape and finger length, for example — and use those unique characteristics, which do not change, to replace passwords, which run the risk of being cracked.

Although she says it will be at least a year before her app is ready, Sae-Bae has already developed an iPad app that asks users to make gestures on a touch screen, such as rotating an open palm and opening a closed fist, in order to verify their identity. The hand sensor technologies she's using are currently available and already used, in different capacities, on iPads and Android tablets.

She also built a biometric-analyzing algorithm that will be the technological basis of the app; in experiments with 34 people, she achieved a 90 percent accuracy rate in authenticating the hand movements made by each participant, NextGov said.

Sae-Bae's work falls in line with other advancements in biometric authentication that have made headlines in recent months, both for the consumer market and for the government. As part of its human measurements and signatures intelligence (human MASINT) program, the U.S. Air Force has expressed interest in developing security cameras that can detect a suspect's age and ethnicity, and even whether that person is a terrorist smuggling a bomb.

Last month, a Japanese bank announced that beginning in September, it would equip 10 ATMs with biometric sensors that read customers' palms for identity verification.