It’s no surprise that companies on the consumer internet are collecting a lot of information about their users — with and without the permission of those users. And that means there are plenty of databases that make an attractive target for hackers.
Unfortunately for users, many of those databases aren’t secured properly, and as we’ve seen time and time again, best practices for how certain pieces of information, such as passwords, are stored go unfollowed.
We’re getting yet another reminder of that today as reports indicate that Yahoo has suffered an embarrassing security breach that has exposed more than 400,000 user credentials which include plaintext passwords.
According to the reports, a dump of the credentials was posted on the website of hacker collective D33Ds Company, which claims that it penetrated one of Yahoo’s many services using a SQL injection attack. The as-yet-unidentified service is rumored to be Yahoo Voice, and apparently it was a fairly easy heist to pull off.
The really bad news for Yahoo is that D33Ds Company has hinted that Yahoo Voice could be the tip of the iceberg. As detailed by Ars Technica’s Dan Goodin, the hacker group indicates that the service breached is not the only vulnerable Yahoo service:
We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.
While it’s hard to justify all forms of hacking, even if they’re not motivated by a desire to profit or harm, it’s also getting difficult to pin all the blame on the hackers. There’s simply no excuse for storing passwords in plaintext and companies asking users to register for access to their services have a moral (if not legal) obligation to treat the information provided by users with a reasonable degree of care.
The bad news for consumers is that companies, which include firms like Yahoo but also third party vendors and marketers, are increasingly looking to collect as much information as they can. Big data, they believe, is big business. In many cases, they might be right, but the companies that don’t want to find themselves in Yahoo’s position should remember that big data also means even bigger responsibilities.