Yahoo, Gmail, Hotmail compromised

I wasn’t going to comment on this until later, but the story is spreading; there’s a link off the Yahoo Canada homepage.  10,000 usernames and passwords were posted this past week, victims of a phishing scam.  From Computerworld:

If (technology blog) Neowin's account is accurate, the Hotmail hack or phishing attack would be one of the largest suffered by a Web-based e-mail service.

Last year, a Tennessee college student was accused of breaking into former Alaska governor Sarah Palin's Yahoo Mail account in the run-up to the U.S. presidential election. Palin, the Republican vice presidential nominee at the time, lost control of her personal account when someone identified only as "rubico" reset her password after guessing answers to several security questions.

Shortly after the Palin account hijack, Computerworld confirmed that the automated password-reset mechanisms used by Hotmail, Yahoo Mail and Google’s Gmail could be abused by anyone who knew an account's username and could answer a single security question.

The BBC reports that Gmail and Yahoo were also targeted. 

It seems unlikely to me that this would be a hack where someone would break into Hotmail’s servers and access the account information that way.  It is much more likely that the spammers got the information by social engineering.  Why is this more likely?  For one, they’d have to get past all of the firewalls and security measures that Microsoft/Hotmail have to keep intruders out.  While not impossible, it is not easy.

But secondly, even if a hacker/spammer were to break in and steal the account information, it is very unlikely that they could access the associated passwords.  Passwords are not stored in clear-text, they are stored encrypted using a one-way hash.  Actually, firms with good security store them this way; while I don’t work in Hotmail, I am pretty certain that they would do the same because it is standard Microsoft policy.  The point is that a hacker couldn’t get a user’s password because all he would have access to is a text string that wouldn’t work when entering it into the web portal.  This suggests that the spammer tricked the user into handing over their user account and password through some other mechanism.

Whilst I suspect social engineering, I do not suspect security-question guessing.  Note that while vice-presidential candidate Sarah Palin had her account hacked by somebody guessing her login information, this is not a scalable model for spammers.  Palin is well known and you could possibly guess her information simply by reading about her online.  But to access 10,000 accounts that way is too time consuming and the people you are hacking are unknown to you.  You wouldn’t be able to guess their information, other than by chance.  Random guessing is useless.

All Spammed Up reports that there are two motives for accessing the information and then posting it:

  1. Either a hacker with a conscience wanted to make a point about how widespread and dangerous phishing is.
  2. More likely, it was a hacker’s way of showing off what they have for sale.

The second is the more likely scenario. But if it is, then the hacker miscalculated. To post it publically is drawing attention to himself. He would have been better off posting it to a closed forum where other spammers would be able to see it. Giving it away to the rest of the world makes no sense; keeping it quiet and only selling it to others who would be interested makes more sense.