Despite of the state Yahoo! is in I find it very hard to believe that a company like Yahoo! would store it's passwords in plain-text. In addition, doesn't yahoo voice uses the Yahoo single sign on, that would mean that there is a very good chance that the central authentication server and not yahoo voice is authenticating the user and the password doesn't even touch yahoo voice. Of course, there is a possibility that Yahoo uses a simple API based authentication for own apps and the architect took the easy way out and just stored the plain-text password.<p>If it wasn't in such credible news source I would have found the entire thing very hard to believe.
I used to work on the login system for Yahoo! and find this to be not 100% true. Passwords were never stored in plaintext, even the log files went through a library that would mask any passwords or sensitive information if it was sent over HTTPS in plaintext.<p>I would still trust Yahoo! to not leak my password ala LinkedIn.
The server hosting it is a bit slow now, so here's the file compressed with bzip2: <a href="http://www.mediafire.com/download.php?769gk65ix183vbd" rel="nofollow">http://www.mediafire.com/download.php?769gk65ix183vbd</a>
I wrote a very cheesy Python script that runs through the file and counts the passwords and the amount of times they appear. Note that these may not even be correct.<p>This is what I got for the top 10:<p><pre><code> len(passlist): 342,514 # Amount of unique passwords.
Password, Repetition
'', 10,654 (Apparently, some passwords were blank.)
'123456', 1667
'password', 780
'ninja', 333
'abc123', 250
'123456789', 222
'12345678', 208
'sunshine', 205
'princess', 202
</code></pre>
Edit: Source code at <a href="https://gist.github.com/3096511" rel="nofollow">https://gist.github.com/3096511</a>
So I dealt with something that seemed very similar while I was at Yahoo as a Local Paranoid (security person for a product).<p>There was an enormously successful phishing attack that had rendered a crapton (more than 450k) users in a compromised state. Their passwords were basically stolen.<p>The solution was a several month long effort by multiple engineers to get the proper owner to change/reset their password. Remember, their accounts are basically hijacked at this point and they don't even know. It was one of the most involved and complex issues I've ever worked on.<p>Having gone through that I gained a lot of respect for Yahoo! and how they treat/handle these types of situations. Nowadays everything looks different so I don't know who's doing what.<p>But the more I read and think about this my guess is that all those users were phished.
I still see that Yahoo is hiring paranoids. There seems to be a team of paranoids at Yahoo still. Even if the login process of this particular subdomain was not monitored by paranoids, I doubt if yahoo uses separate login systems for each domain - and if there is a central code/library that handles logins, I seriously doubt if passwords are handled in plain texts and SQLs are not sanitized.
Perhaps the best password I've found in this list is \0/<p>In the original SQL dump it also seems that some accounts don't have a password. I'm not sure how this is possible. For example:<p><pre><code> 334860:cashcratereferer@live.com:
</code></pre>
vs. a normal entry<p><pre><code> 334868:ktomlinson7@yahoo.com:password</code></pre>
Looks like this is from a property of a recent acquisition (associated content, acquired in 2010). Most likely a dump of old tables before authentication was migrated to login.yahoo.com. Should've dropped these tables after the migration.<p>I personally have no sympathy for these "users", as they're professional content spammers :)
Most people here seem to agreed that it is very unlikely that this comes from Yahoo.<p>With the amount of compromised sites lately. Isn't it more likely that the credentials from other sites have simply been matched with yahoo services?<p>"Oh look at all these Linkedin passwords, I wonder which ones works on yahoo as well"
The TrustedSec blog post that ArsTechnica links to gave the link for the password dump, so if you want to check for a compromised account:
<a href="https://d33ds.co/archive/yahoo-disclosure.txt" rel="nofollow">https://d33ds.co/archive/yahoo-disclosure.txt</a> (WARNING: That file is ~17 MB.)
I found my account (different name) there, but with the wrong password. I think I remember using the one they had a long while back, but couldn't remember from where. Might be that these passwords are scrapped from various other sites, or were held onto for some time.
I got an email from Yahoo yesterday saying I had sent a request to reset my password via secret question verification. The email was from yahoo, but maybe this is how they got the passwords. My account was still there at the time though.
I built this website to help you easily check if your credentials have been compromised: <a href="http://voices.thatsaspicymeatball.com/" rel="nofollow">http://voices.thatsaspicymeatball.com/</a>