The dumping of nearly half a million Yahoo! Voice clear text credentials paints a bleak picture of password security.
If the dump is legitimate -- and there's a chance the anti-security hackers posted old or cobbled together records -- it's a bad look for Yahoo!
According to some of the security folk now pouring over the records, the hackers from d33ds.co used run-of-the-mill SQL Injection to pinch the credentials from a smaller server.
That's enough to make many shrug their shoulders given injection is a mainstay of OWASP's Top 10.
But few companies could be forgiven for storing so many records in such an exposed format as clear text.
Encryption technologies are standard security fare, and by now, all passwords entrusted to an organisation worth its salt should be, well, salted.
An organisation accepts a lot of responsibility when it asks for users to signup. Not least because password reuse is common, and will remain so for a long time.
Users will also sign up using corporate email domains that may be sensitive, placing their organisations at a hightened risk.
Just look at those in the Yahoo! dump: There were 1870 *.edu domains, 93 *.gov and 81 pertaining to*.mil.
Local victims include a police prosecutor, a state treasury bureaucrat, an ambo and a decent representation of members from Australia's education system.
All are potential candy for social engineers.
Hacktivists have long demonstrated that its time for security benchmarks to be lifted. Anyone can be breached, but with decent encryption, everyone can minimise the impact.
Copyright © SC Magazine, Australia
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.