Yahoo! user passwords often match the credentials found in leaks from other sites
Study: AppSec is Eating Security
Date: April 27 2015
Alex Stamos: "Our experience is we have intelligence guys that go out and buy, every time there's a bad password dump, our guys go buy it off the black market. Then we go run a big [unknown word] job and go crack those against our own password hashes, and we find 10% to 20% of them match. So we'll take, if it's a Gmail account we'll strip off the Gmail and see if the first username is still a Yahoo user. And we'll do some transforms and stuff. And it turns out, obviously as everybody in here knows, a ridiculous number of people use the same password at every single web site in their lives. And so, if they lose one password they've lost their entire life."
[In response to a audience question] "The biggest challenge facing Yahoo? I think by far the biggest challenge is user security. It's not people breaking into us, it's making our product safe for normal users. The 'death of the password' paradigm and replacing it is by far the worst thing. I have a constant Twitter feed in Tweetdeck for 'Yahoo' and 'hacked'. And every day people are saying 'my Yahoo account is hacked'. And I'll go find a random sampling, and we'll go look, and we'll say 'yep, we figured out Sally, her password was in the Ebay dump' or something like that, or some crappy little place. And this is where the bad guys came in and they did it. There's, in theory, nothing we can do. In practice it means we need to rebuild how we interact with Sally so that she isn't using the same password everywhere. And if she loses her password it's not a complete disaster. So yeah, by far the password problem is my biggest problem."