Analysis of Yahoo Voice Password Leak – 453,441 Passwords Exposed

We recently heard that a massive leak of Yahoo passwords has been floating on the interwebs for a few days. According to Ars Technica, the dump is from Yahoo Voice and the data was released in clear-text (yes, clear text in 2012). It seems they were not storing the passwords securely.

We got access to the dump and we can confirm that this leak is valid. We can not however confirm it is from Yahoo, the password analysis does not have many “Yahoo’s” in it (we’ll explain later).

That said, we recommend all Yahoo users to change their passwords ASAP! Specially on other services that you are reusing the same passwords. Better safe than sorry.

*You can check here if your account was part of the leak: http://labs.sucuri.net/?yahooleak

Yahoo Leak Analysis – Overview

The link contains passwords for 453,411 Yahoo Voice accounts, from which 342,481 are unique.

Unique accounts: 453,411
Unique passwords: 342,481

The accounts are from multiple email providers, including Yahoo, Gmail, Hotmail and others. This is the list of where most accounts were:

135599 yahoo.com
106185 gmail.com
54393 hotmail.com
24677 aol.com
8422 comcast.net
6282 msn.com

There are also passwords from multiple .GOV and .MIL addresses, which can be very dangerous if their users were reusing passwords:

[number of accounts] [domain]
160 us.army.mil
64 gamil.com
28 navy.mil
18 usmc.mil
5 education.nsw.gov.au
4 jocogov.org
3 utah.gov
3 usdoj.gov
3 ssa.gov
3 schools.nyc.gov
3 ky.gov
3 irs.gov
3 gsa.gov
3 dc.gov
2 va.gov
2 usps.gov
2 tucsonaz.gov
2 salemct.gov
2 police.vic.gov.au
2 okc.gov
2 nasa.gov
2 mt.gov
2 med.va.gov
2 hud.gov
2 ed.gov
2 dmh.mo.gov
2 dhs.gov

Leak Analysis – Password Analysis

A lot of users were using weak passwords, with “123456” and “password”, being the most common. Those were the top used passwords:

[number of accounts] [password]
1666 123456
780 password
437 welcome
333 ninja
250 abc123
222 123456789
208 12345678
205 sunshine
202 princess
172 qwerty
164 writer
162 monkey
161 freedom
160 michael
160 111111
140 iloveyou
139 password1
134 shadow
133 baseball
132 tigger
131 1a1a1a1b
126 success
121 blackhatworld
111 jordan
110 whatever
109 michelle
107 dragon
106 superman
106 purple
106 1234567
103 ashley
101 associated
101 123123
100 ginger
100 babygirl
99 maggie
98 computer

Yes, it is a sad day when you see users using “password” and “123456” as their account passwords.

The size distribution is interesting, with 26% of the accounts using a password with 7 characters in size.

1 Character: 116 accounts
2 Characters: 69 accounts
3 Characters: 301 accounts
4 Characters: 2747 accounts
5 Characters: 5322 accounts
6 Characters: 65,600 accounts
7 Characters: 119,125 accounts
8 characters: 65,957 accounts
9 characters: 54,755 accounts
10 characters: 21,218 accounts
11 characters: 21,729 accounts
12 characters: 2,656 accounts

I can’t see why Yahoo would allow passwords so small (with 1 or 2 characters), but some people were using them. The longest password in the dump had 30 characters and only 294 accounts had a password with more than 20 characters.

What is interesting is that only 104 accounts had “yahoo” as part of the password. That’s strange, since we would expect this number to be a lot higher on a Yahoo leak:

[number of accounts] [password]
8 yahoo
7 yahoo123
6 yahoomail
4 yahoos
4 yahoo1
3 yahooman
2 yahooo
2 yahoocom
2 yahoo111
2 yahoo009
1 yahooyourself12
1 yahooyahoo
1 YAHOOWIISOL
1 yahoous

Because of that we can’t confirm the dump is indeed from Yahoo, but interesting nonetheless. We will post more details when we have them.


If you have more info, please email us so we can update – info@sucuri.net

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid