updated 12:30 am EDT, Fri July 13, 2012
Yahoo, Phandroid break-ins expose well over 1 million users
Several significant data breaches have occurred over the last several days, and some criminal activity using previously stolen data has also occurred very recently -- a reminder to users security on e-commerce sites is not solely in the hands of the merchant. Yahoo Voices experienced a break-in with more than 400,000 email and plain-text password combinations were leaked onto the internet. Additionally, Android news and community site Phandroid's million-strong user information database is potentially out in the open as well. Best Buy is currently seeing user credentials farmed from previous break-ins being used to fraudulently purchase easily cash-convertible items, such as Xbox Live or Playstation Network code cards.
Yesterday's reveal of 400,000 users' credentials from Yahoo Voices joins Phandroid's hack exposing over a million of its users' information, Formspring's breach of 420,000 users, and retailer Billabong losing control of 35,000 plaintext passwords all in less than a week. While the Yahoo breach and the Billabong hack is only user emails and plain-text passwords, the Phandroid and Formspring attacks included user names, email addresses, hashed passwords, and IP addresses.
While the forum administrator for Phandroid believes that the attack was just an email harvesting attack, the data was still released, and can be used in conjunction with other breaches to see if a given email is using the same password. When an email is tied to a specific, repeated password, it becomes a simple matter to attack e-commerce sites using duplicated credentials and stored credit card information.
The news comes at the same time that Best Buy's website is seeing a rash of stolen passwords from a year ago being used to attack accounts. An email sent out to Best Buy customers warned customers that it was "currently investigating increased attempts by hackers around the world to access accounts on BestBuy.com and other online retailers' e-commerce sites."
"These hackers did not take username/password combinations from any Best Buy systems; they appear to be using combinations taken elsewhere in an attempt to gain access to BestBuy.com accounts," the email continued. "We are taking action now to help protect your account; we have disabled your current password and ask that you take a few minutes to reset it."
Last year, Best Buy had customer information said to be limited to email addresses stolen through its association with Epsilon, an email marketing service firm. On the Best Buy discussion forums, some users report having their accounts used fraudulently, but without the aid of hackers using duplicated credentials, questioning the veracity of Best Buy's and Epsilon's explanation from a year ago.
Microsoft maintains a page on best password practices, and given analysis of the Yahoo exposed passwords, few people seem to be following it. According to the password practices site, passwords with eight or more characters, with mixed punctuation, symbols, capitalization, and numbers are best. A password shouldn't be used for more than one service. Passwords with dictionary words, or with personal identifying information such as birth dates, social security number fragments, or other similar data should be avoided. Android, iOS, OS X and Windows all have password management tools that allow for truly random password selection and management.