Formspring and Yahoo Voices services compromised
The last 24 hours have been filled with news of two compromised services. First victim of a successful attack was the social question and answer site Formspring. After being notified that a set of 420k password hashes that had been posted to a security forum could be from Formspring, the site operators quickly confirmed the suspicion and locked down their systems to begin an investigation of the issue.
What they discovered is that the attacker managed to break into a development server to get access to a production database from that access. The security issue was quickly fixed by Formspring, which also improved the hashing mechanism from a sha-256 algorithm with random salts to bcrypt.
Since user passwords - in the form of password hashes - were out in the open, the company decided to reset all passwords on the site. All Formspring users will be asked to change their passwords when they try to log back into the site for the first time.
While not actively enforced, security guidelines have been posted on the blog to help users pick better more secure passwords. This includes selecting passwords with ten or more characters, and using a mixture of special characters and upper and lowercase letters for the passwords.
But Formspring was not the only service compromised in the past 24 hours. Yahoo Voices, not to be confused with Yahoo Voice, Yahoo's voice over IP service, has been compromised by a simple database attack that leaked more than 450,000 unencrypted passwords, usernames and related information. The list has been put online and already been analyzed by security experts.
The findings are quite interesting if you look at the top 10 passwords and base words used to protect the accounts, as you find the usual weak passwords like "password", "123456", "abc123" or "welcome" in the top 10. Users of Yahoo Voices are asked to change their password as soon as possible to avoid that their accounts are taken over by hackers or other users who managed to get hold of the list of leaked information. What makes this more pressing is the fact that the passwords have been saved in clear text in the database.
Update: According to the BBC, Yahoo is investigating the matter.
Advertisement
great article, Martin. If possible, publish more tutorials on Yahoo Pipes, please!
This was good, short & clear example!
Write another similar article,
with an example of “Fech Data”, in Yahoo Pipes…
Thanks!
my site have two rss: one for the articles and video. Thanks for sharing this it saves me from trouble.
Hi Martin,
Is it possible to make the pubDate to be visible just under the feed headline?
Regards,
Mannyee
Good question, I cannot really answer that unfortunately. Has been a long time since I last played around with Yahoo Pipes.
Very useful! Thanks
Unfortunately I want to combine 70 RSS feeds (student blogs I want to see in one go – http://changebydesign.wordpress.com/ ) but Pipes seems to limit me to 10 at a time.
I thought about creating a feed of ten, a feed of another ten, and then combining those… but it doesn’t work.
Any thoughts on how to go beyond the ten feed limit?
To have more than 10 use multiple Fetch Feeds and connect them to a UNION Operator.
Thanks for your help!