Leak of Yahoo email passwords reinforces the need for companies to get serious about user data security Easy as you please,a hacker collective was able to use a common attack,known as SQL injection,to liberate over 4 lakh passwords from a Yahoo database last week. This latest attack comes only a few days after Formspring,a service that lets users create forms and send them to friends for answers,had a security breach that compromised some user accounts,and a month after millions of passwords from social network LinkedIn and online music site Last.fm were leaked. To make matters worse,the Yahoo service attacked appears to be Yahoo Voices,which means that the email addresses and passwords revealed are not limited to Yahoo Mail,but also include Gmail and MSN accounts (since any email account can be used to sign up for Voices). Such breaches are evidence that internet companies handling sensitive user information must do more to protect that data. Yahoo,for instance,stored the leaked information in unencrypted,plain text form,making it easy for the hackers,who even posted a message alongside their disclosure calling attention to Yahoos less-than-thorough approach to data security. Encrypting passwords is the bare minimum in web security,and Yahoos failure to do even that suggests that they may be cutting corners elsewhere too. But the breach of better-secured account information,such as LinkedIns which hashed user data but didnt salt it,both standard cryptographic practices and Formsprings,which did both,indicates that companies have to be proactive about protecting user information,especially given the increasing popularity of cloud-based productivity tools. The frequency of such hacks also highlights that there are no minimum security standards that most websites are required to follow,like there are for banks and other financial sites that handle cardholder information.
