Analysis of Yahoo Voice Password Leak – 453,441 Passwords Exposed

July 12, 2012Daniel Cid

We recently heard that a massive leak of Yahoo passwords has been floating on the interwebs for a few days. According to Ars Technica, the dump is from Yahoo Voice and the data was released in clear-text (yes, clear text in 2012). It seems they were not storing the passwords securely.

We got access to the dump and we can confirm that this leak is valid. We can not however confirm it is from Yahoo, the password analysis does not have many “Yahoo’s” in it (we’ll explain later).

That said, we recommend all Yahoo users to change their passwords ASAP! Specially on other services that you are reusing the same passwords. Better safe than sorry.

*You can check here if your account was part of the leak: http://labs.sucuri.net/?yahooleak

Yahoo Leak Analysis – Overview

The link contains passwords for 453,411 Yahoo Voice accounts, from which 342,481 are unique.

Unique accounts: 453,411
Unique passwords: 342,481

The accounts are from multiple email providers, including Yahoo, Gmail, Hotmail and others. This is the list of where most accounts were:

135599 yahoo.com
106185 gmail.com
54393 hotmail.com
24677 aol.com
8422 comcast.net
6282 msn.com

There are also passwords from multiple .GOV and .MIL addresses, which can be very dangerous if their users were reusing passwords:

[number of accounts] [domain]
160 us.army.mil
64 gamil.com
28 navy.mil
18 usmc.mil
5 education.nsw.gov.au
4 jocogov.org
3 utah.gov
3 usdoj.gov
3 ssa.gov
3 schools.nyc.gov
3 ky.gov
3 irs.gov
3 gsa.gov
3 dc.gov
2 va.gov
2 usps.gov
2 tucsonaz.gov
2 salemct.gov
2 police.vic.gov.au
2 okc.gov
2 nasa.gov
2 mt.gov
2 med.va.gov
2 hud.gov
2 ed.gov
2 dmh.mo.gov
2 dhs.gov
…

Leak Analysis – Password Analysis

A lot of users were using weak passwords, with “123456” and “password”, being the most common. Those were the top used passwords:

[number of accounts] [password]
1666 123456
780 password
437 welcome
333 ninja
250 abc123
222 123456789
208 12345678
205 sunshine
202 princess
172 qwerty
164 writer
162 monkey
161 freedom
160 michael
160 111111
140 iloveyou
139 password1
134 shadow
133 baseball
132 tigger
131 1a1a1a1b
126 success
121 blackhatworld
111 jordan
110 whatever
109 michelle
107 dragon
106 superman
106 purple
106 1234567
103 ashley
101 associated
101 123123
100 ginger
100 babygirl
99 maggie
98 computer

Yes, it is a sad day when you see users using “password” and “123456” as their account passwords.

The size distribution is interesting, with 26% of the accounts using a password with 7 characters in size.

1 Character: 116 accounts
2 Characters: 69 accounts
3 Characters: 301 accounts
4 Characters: 2747 accounts
5 Characters: 5322 accounts
6 Characters: 65,600 accounts
7 Characters: 119,125 accounts
8 characters: 65,957 accounts
9 characters: 54,755 accounts
10 characters: 21,218 accounts
11 characters: 21,729 accounts
12 characters: 2,656 accounts

I can’t see why Yahoo would allow passwords so small (with 1 or 2 characters), but some people were using them. The longest password in the dump had 30 characters and only 294 accounts had a password with more than 20 characters.

What is interesting is that only 104 accounts had “yahoo” as part of the password. That’s strange, since we would expect this number to be a lot higher on a Yahoo leak:

[number of accounts] [password]
8 yahoo
7 yahoo123
6 yahoomail
4 yahoos
4 yahoo1
3 yahooman
2 yahooo
2 yahoocom
2 yahoo111
2 yahoo009
1 yahooyourself12
1 yahooyahoo
1 YAHOOWIISOL
1 yahoous

Because of that we can’t confirm the dump is indeed from Yahoo, but interesting nonetheless. We will post more details when we have them.

If you have more info, please email us so we can update – info@sucuri.net

About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Virtual Copy

Actually, the leak is of Yahoo! Voices, formerly Associated Content and of the Yahoo! Contributor Network. None of us have been officially notified as of yet by Yahoo staff.
Pingback: Analysis of Yahoo Voice Password Leak – 453,441 Passwords Exposed | Sucuri « AskBillFirst – Non-Tech Speak Technology Blog()
Matt Busse

As Virtual Copy notes in these comments, Yahoo Voices / the Yahoo Contributor Network, from which the leak came, had acquired Associated Content, a user-contributed-articles site similar to eHow.com. That might explain why 101 passwords were the word “associated” (and perhaps why 164 were “writer”), and might also explain why so few have the word “yahoo” in them.
Pingback: Yahoo! victime d'un piratage d'envergure - 450 000 comptes diffusés | UnderNews()
Pingback: Yahoo Voice comprometido. Veja se a sua conta está em risco. | WebSegura.Net()
Hacked again

I submitted several articles to Associated Content and I looked at the list and found my old email and a currently still used password (since changed!). When Yahoo acquired Associated Content, I don’t remember being clearly notified–just couldn’t find the site anymore. Now I see that I am a “contributor” but that I have no articles listed. However, my articles are still online and I can find them with a search. I regret all of it-what a hassle.
- A Former A.C. Writer
  
  I signed up many years ago to AC and did several articles, some of which were picked up by larger media. I should have known something was up when i began to no longer get payments for views. It took hours to get my account back under my control…and i am SO furious today to get at least four emails giving me advice on how to keep my accounts secure…LOL!
  
  The Freaking IRONY.
  
  Ya know we would not even BE in this position if YAHOO had followed its own B.S. advice!
  
  How dare they contact me and give me a lecture about password security when my account had an ENORMOUS, very extremely specialized password.(20+ characters)..which i can now no longer used because of those ridiculous D-Bags.
  
  I feel like this is the bosco episode of Seinfeld…and the joke is all on us.
  
  If there was a way i could delete those “contributions” and my account from AC right now. I would F do it without hesitation. I am so flipping hot right now.
  
  This is exactly why Yahoo is in the toilet. May the Gods give us mercy enough to see the day when the shit finally gets flushed.
Mohammed Hasan

hasan41me@yahoo.com.sg already hacked but but your result show good. How its possible? Check just for fun or not?
Redjacket1231

my acct was hacked too but it says on ur verification that my acct is good .. any explanation on this?
- Carolina_D
  
  How do you know your account was hacked? All of my email addys showed up as good, but now I’m wondering.
Pingback: ASK Sucuri: What should I do if my email is in the Yahoo Leak? | Sucuri()
Pingback: Yahoo User Names and Passwords Leak: Involves More Than 400,000 Accounts - Kamaluddin's Blog | Kamaluddin's Blog()
Pingback: Piratage de mots de passe Yahoo! : ce qu’il faut savoir | Double-J Informations Center()
Pingback: Yahoo Hacking – 4.5 Lacs Yahoo Passwords Stolen & Posted Online | BloggingAster()
Pingback: Piratage de Yahoo : un internaute se rebiffe | HORUS e-business Solutions()
ideas

Very interesting,
if your looking at removing malware and spyware also then stopzilla is a
recommended solution.
http://www.homerenovationgplans.com
saeid

Thank you.

http://tanhaye-avval71.blogfa.com
djc

hi