Printed from

Rash of data thefts emphasize need for strong user passwords

updated 12:30 am EDT, Fri July 13, 2012

Yahoo, Phandroid break-ins expose well over 1 million users

Several significant data breaches have occurred over the last several days, and some criminal activity using previously stolen data has also occurred very recently -- a reminder to users security on e-commerce sites is not solely in the hands of the merchant. Yahoo Voices experienced a break-in with more than 400,000 email and plain-text password combinations were leaked onto the internet. Additionally, Android news and community site Phandroid's million-strong user information database is potentially out in the open as well. Best Buy is currently seeing user credentials farmed from previous break-ins being used to fraudulently purchase easily cash-convertible items, such as Xbox Live or Playstation Network code cards.

Yesterday's reveal of 400,000 users' credentials from Yahoo Voices joins Phandroid's hack exposing over a million of its users' information, Formspring's breach of 420,000 users, and retailer Billabong losing control of 35,000 plaintext passwords all in less than a week. While the Yahoo breach and the Billabong hack is only user emails and plain-text passwords, the Phandroid and Formspring attacks included user names, email addresses, hashed passwords, and IP addresses.

While the forum administrator for Phandroid believes that the attack was just an email harvesting attack, the data was still released, and can be used in conjunction with other breaches to see if a given email is using the same password. When an email is tied to a specific, repeated password, it becomes a simple matter to attack e-commerce sites using duplicated credentials and stored credit card information.

The news comes at the same time that Best Buy's website is seeing a rash of stolen passwords from a year ago being used to attack accounts. An email sent out to Best Buy customers warned customers that it was "currently investigating increased attempts by hackers around the world to access accounts on and other online retailers' e-commerce sites."

"These hackers did not take username/password combinations from any Best Buy systems; they appear to be using combinations taken elsewhere in an attempt to gain access to accounts," the email continued. "We are taking action now to help protect your account; we have disabled your current password and ask that you take a few minutes to reset it."

Last year, Best Buy had customer information said to be limited to email addresses stolen through its association with Epsilon, an email marketing service firm. On the Best Buy discussion forums, some users report having their accounts used fraudulently, but without the aid of hackers using duplicated credentials, questioning the veracity of Best Buy's and Epsilon's explanation from a year ago.

Microsoft maintains a page on best password practices, and given analysis of the Yahoo exposed passwords, few people seem to be following it. According to the password practices site, passwords with eight or more characters, with mixed punctuation, symbols, capitalization, and numbers are best. A password shouldn't be used for more than one service. Passwords with dictionary words, or with personal identifying information such as birth dates, social security number fragments, or other similar data should be avoided. Android, iOS, OS X and Windows all have password management tools that allow for truly random password selection and management.

By Electronista Staff


  1. daqman

    Junior Member

    Joined: 09-15-00

    The title of this article seems to be at odds with the content. The title is:

    "Rash of data thefts emphasize need for strong user passwords"

    The article seems to then talk about how passwords stolen via security breaches are being used to gain access to accounts. While a strong password is essential it is as good as no password at all if the service provider has lax security that allows your credentials to be stolen as part of a wider breach.

    There has been a push by many companies to make life simpler for the user by having a single sign on for multiple services. The problem with this is that the whole system is now as weak as the weakest link. For example, you can have a very secure point of sale system with SSL only access from the web and strong passwords but that is no good if you force the customer to use the same password for an email service that sends the passwords in plain text. Apple has slipped this way with the single Apple ID being used for everything. I would much rather have things that need my payment info, iTunes and App stores, secured by a different password than the one I use 1000 times a day for email, calendar etc etc.

  1. SockRolid

    Forum Regular

    Joined: 01-21-10

    Gruber posted that of the 400k Yahoo passwords cracked, 117 of them were one character long. You do that and you're asking for somebody to hack your account(s).

  1. SockRolid

    Forum Regular

    Joined: 01-21-10

    And shame on Yahoo for even allowing passwords less than, say, 10 characters (with at least two mandatory numerical digits or punctuation characters) in the first place!

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Seagate Wireless

It seems like no matter how much internal storage is included today's mobile devices, we, as users, will always find a way to fill the ...

Lenovo Yoga Tablet 2 (Android, 10.1-inch)

Lenovo is building a bigger name for itself year after year, including its devices expanding beyond desktop computers. The company's l ...

Brother HL-L8250CDN Color Laser Printer

When it comes to selecting a printer, the process is not exactly something most people put a lot of thought into. Printers are often t ...



Most Commented


Popular News