Tom Simonite

A View from Tom Simonite

Yahoo Should Say Whose Data Was Used to Hack Yahoo Mail

Naming the company whose poorly secured data is being used to attack Yahoo Mail accounts could improve online security.

  • January 31, 2014

Yahoo warned yesterday that many Yahoo Mail accounts are being targeted by someone with a list of passwords and usernames stolen from another company. Yahoo could help make the Web more secure by naming the source of that “third-party database compromise.”

Naming the company would set a precedent and raise the stakes for those with large userbases. Knowing that your company could be publicly shamed if data from your servers enabled attacks like that on Yahoo Mail would provided added incentive to properly secure username and password databases.

That’s needed because we have evidence that even major technology companies don’t bother to properly secure their passwords, even though password databases are frequently stolen. When 6.5 million passwords were taken from LinkedIn in 2012, decrypted versions were available online a day later because the company’s encryption was relatively weak. The 130 million passwords taken from Adobe in November last year were also discovered to have been improperly secured, in a manner that falls far short of industry best practices.

Better technical solutions to the problem of encrypting passwords do exist and are not prohibitively expensive for such companies. They just seem not to care enough about their customers’ security. That might change if Yahoo was brave enough to say where the data that led to its users having their e-mail accounts targeted came from. Yahoo didn’t respond to a enquiry this morning about the source of that data.

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.

Subscribe today

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.