AAPL Stock: 118.03 ( -0.85 )

Printed from

Rash of data thefts emphasize need for strong user passwords

updated 12:30 am EDT, Fri July 13, 2012

Yahoo, Phandroid break-ins expose well over 1 million users

Several significant data breaches have occurred over the last several days, and some criminal activity using previously stolen data has also occurred very recently -- a reminder to users security on e-commerce sites is not solely in the hands of the merchant. Yahoo Voices experienced a break-in with more than 400,000 email and plain-text password combinations were leaked onto the internet. Additionally, Android news and community site Phandroid's million-strong user information database is potentially out in the open as well. Best Buy is currently seeing user credentials farmed from previous break-ins being used to fraudulently purchase easily cash-convertible items, such as Xbox Live or Playstation Network code cards.

Yesterday's reveal of 400,000 users' credentials from Yahoo Voices joins Phandroid's hack exposing over a million of its users' information, Formspring's breach of 420,000 users, and retailer Billabong losing control of 35,000 plaintext passwords all in less than a week. While the Yahoo breach and the Billabong hack is only user emails and plain-text passwords, the Phandroid and Formspring attacks included user names, email addresses, hashed passwords, and IP addresses.

While the forum administrator for Phandroid believes that the attack was just an email harvesting attack, the data was still released, and can be used in conjunction with other breaches to see if a given email is using the same password. When an email is tied to a specific, repeated password, it becomes a simple matter to attack e-commerce sites using duplicated credentials and stored credit card information.

The news comes at the same time that Best Buy's website is seeing a rash of stolen passwords from a year ago being used to attack accounts. An email sent out to Best Buy customers warned customers that it was "currently investigating increased attempts by hackers around the world to access accounts on and other online retailers' e-commerce sites."

"These hackers did not take username/password combinations from any Best Buy systems; they appear to be using combinations taken elsewhere in an attempt to gain access to accounts," the email continued. "We are taking action now to help protect your account; we have disabled your current password and ask that you take a few minutes to reset it."

Last year, Best Buy had customer information said to be limited to email addresses stolen through its association with Epsilon, an email marketing service firm. On the Best Buy discussion forums, some users report having their accounts used fraudulently, but without the aid of hackers using duplicated credentials, questioning the veracity of Best Buy's and Epsilon's explanation from a year ago.

Microsoft maintains a page on best password practices, and given analysis of the Yahoo exposed passwords, few people seem to be following it. According to the password practices site, passwords with eight or more characters, with mixed punctuation, symbols, capitalization, and numbers are best. A password shouldn't be used for more than one service. Passwords with dictionary words, or with personal identifying information such as birth dates, social security number fragments, or other similar data should be avoided. Android, iOS, OS X and Windows all have password management tools that allow for truly random password selection and management.

by MacNN Staff



  1. daqman

    Junior Member

    Joined: 09-15-00

    The title of this article seems to be at odds with the content. The title is:

    "Rash of data thefts emphasize need for strong user passwords"

    The article seems to then talk about how passwords stolen via security breaches are being used to gain access to accounts. While a strong password is essential it is as good as no password at all if the service provider has lax security that allows your credentials to be stolen as part of a wider breach.

    There has been a push by many companies to make life simpler for the user by having a single sign on for multiple services. The problem with this is that the whole system is now as weak as the weakest link. For example, you can have a very secure point of sale system with SSL only access from the web and strong passwords but that is no good if you force the customer to use the same password for an email service that sends the passwords in plain text. Apple has slipped this way with the single Apple ID being used for everything. I would much rather have things that need my payment info, iTunes and App stores, secured by a different password than the one I use 1000 times a day for email, calendar etc etc.

  1. SockRolid

    Forum Regular

    Joined: 01-21-10

    Gruber posted that of the 400k Yahoo passwords cracked, 117 of them were one character long. You do that and you're asking for somebody to hack your account(s).

  1. SockRolid

    Forum Regular

    Joined: 01-21-10

    And shame on Yahoo for even allowing passwords less than, say, 10 characters (with at least two mandatory numerical digits or punctuation characters) in the first place!

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented