• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Analysis of Yahoo Voice Password Leak – 453,441 Passwords Exposed

July 12, 2012Daniel Cid

FacebookTwitterSubscribe

We recently heard that a massive leak of Yahoo passwords has been floating on the interwebs for a few days. According to Ars Technica, the dump is from Yahoo Voice and the data was released in clear-text (yes, clear text in 2012). It seems they were not storing the passwords securely.

We got access to the dump and we can confirm that this leak is valid. We can not however confirm it is from Yahoo, the password analysis does not have many “Yahoo’s” in it (we’ll explain later).

That said, we recommend all Yahoo users to change their passwords ASAP! Specially on other services that you are reusing the same passwords. Better safe than sorry.

*You can check here if your account was part of the leak: http://labs.sucuri.net/?yahooleak

Yahoo Leak Analysis – Overview

The link contains passwords for 453,411 Yahoo Voice accounts, from which 342,481 are unique.

Unique accounts: 453,411
Unique passwords: 342,481

The accounts are from multiple email providers, including Yahoo, Gmail, Hotmail and others. This is the list of where most accounts were:

135599 yahoo.com
106185 gmail.com
54393 hotmail.com
24677 aol.com
8422 comcast.net
6282 msn.com

There are also passwords from multiple .GOV and .MIL addresses, which can be very dangerous if their users were reusing passwords:

[number of accounts] [domain]
160 us.army.mil
64 gamil.com
28 navy.mil
18 usmc.mil
5 education.nsw.gov.au
4 jocogov.org
3 utah.gov
3 usdoj.gov
3 ssa.gov
3 schools.nyc.gov
3 ky.gov
3 irs.gov
3 gsa.gov
3 dc.gov
2 va.gov
2 usps.gov
2 tucsonaz.gov
2 salemct.gov
2 police.vic.gov.au
2 okc.gov
2 nasa.gov
2 mt.gov
2 med.va.gov
2 hud.gov
2 ed.gov
2 dmh.mo.gov
2 dhs.gov
…

Leak Analysis – Password Analysis

A lot of users were using weak passwords, with “123456” and “password”, being the most common. Those were the top used passwords:

[number of accounts] [password]
1666 123456
780 password
437 welcome
333 ninja
250 abc123
222 123456789
208 12345678
205 sunshine
202 princess
172 qwerty
164 writer
162 monkey
161 freedom
160 michael
160 111111
140 iloveyou
139 password1
134 shadow
133 baseball
132 tigger
131 1a1a1a1b
126 success
121 blackhatworld
111 jordan
110 whatever
109 michelle
107 dragon
106 superman
106 purple
106 1234567
103 ashley
101 associated
101 123123
100 ginger
100 babygirl
99 maggie
98 computer

Yes, it is a sad day when you see users using “password” and “123456” as their account passwords.

The size distribution is interesting, with 26% of the accounts using a password with 7 characters in size.

1 Character: 116 accounts
2 Characters: 69 accounts
3 Characters: 301 accounts
4 Characters: 2747 accounts
5 Characters: 5322 accounts
6 Characters: 65,600 accounts
7 Characters: 119,125 accounts
8 characters: 65,957 accounts
9 characters: 54,755 accounts
10 characters: 21,218 accounts
11 characters: 21,729 accounts
12 characters: 2,656 accounts

I can’t see why Yahoo would allow passwords so small (with 1 or 2 characters), but some people were using them. The longest password in the dump had 30 characters and only 294 accounts had a password with more than 20 characters.

What is interesting is that only 104 accounts had “yahoo” as part of the password. That’s strange, since we would expect this number to be a lot higher on a Yahoo leak:

[number of accounts] [password]
8 yahoo
7 yahoo123
6 yahoomail
4 yahoos
4 yahoo1
3 yahooman
2 yahooo
2 yahoocom
2 yahoo111
2 yahoo009
1 yahooyourself12
1 yahooyahoo
1 YAHOOWIISOL
1 yahoous

Because of that we can’t confirm the dump is indeed from Yahoo, but interesting nonetheless. We will post more details when we have them.


If you have more info, please email us so we can update – info@sucuri.net

FacebookTwitterSubscribe

Categories: Website SecurityTags: Passwords

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Virtual Copy

    July 12, 2012

    Actually, the leak is of Yahoo! Voices, formerly Associated Content and of the Yahoo! Contributor Network. None of us have been officially notified as of yet by Yahoo staff. 

  2. Matt Busse

    July 12, 2012

    As Virtual Copy notes in these comments, Yahoo Voices / the Yahoo Contributor Network, from which the leak came, had acquired Associated Content, a user-contributed-articles site similar to eHow.com. That might explain why 101 passwords were the word “associated” (and perhaps why 164 were “writer”), and might also explain why so few have the word “yahoo” in them.

  3. Hacked again

    July 12, 2012

    I submitted several articles to Associated Content and I looked at the list and found my old email and a currently still used password (since changed!). When Yahoo acquired Associated Content, I don’t remember being clearly notified–just couldn’t find the site anymore. Now I see that I am a “contributor” but that I have no articles listed. However, my articles are still online and I can find them  with a search. I regret all of it-what a hassle. 

    • A Former A.C. Writer

      July 14, 2012

      I signed up many years ago to AC and did several articles, some of which were picked up by larger media.  I should have known something was up when i began to no longer get payments for views.  It took hours to get my account back under my control…and i am SO furious today to get at least four emails giving me advice on how to keep my accounts secure…LOL!

      The Freaking IRONY.

      Ya know we would not even BE in this position if  YAHOO had followed its own B.S. advice!

      How dare they contact me and give me a lecture about password security when my account had an ENORMOUS, very extremely specialized password.(20+ characters)..which i can now no longer used because of those ridiculous D-Bags.

      I feel like this is the bosco episode of Seinfeld…and the joke is all on us.

      If there was a way i could delete those “contributions” and my account from AC right now.  I would F do it without hesitation.  I am so flipping hot right now.

      This is exactly why Yahoo is in the toilet.  May the Gods give us mercy enough to see the day when the shit finally gets flushed.

  4. Mohammed Hasan

    July 13, 2012

    hasan41me@yahoo.com.sg already hacked but but your result show good. How its possible? Check just for fun or not?

  5. Redjacket1231

    July 13, 2012

    my acct was hacked too but it says on ur verification that my acct is  good .. any explanation on this?

    • Carolina_D

      July 16, 2012

       How do you know your account was hacked? All of my email addys showed up as good, but  now I’m wondering.

  6. ideas

    November 3, 2012

    Very interesting,
    if your looking at removing malware and spyware also then stopzilla is a
    recommended solution.
    http://www.homerenovationgplans.com

  7. saeid

    December 21, 2012

    Thank you.

    http://tanhaye-avval71.blogfa.com

  8. djc

    February 11, 2013

    hi

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.