Update on July 13 - Yahoo fixes flaw behind 450,000 account hack

Yesterday the hacker group D33ds Company claimed responsibility for attacking a Yahoo service and exposing 453,492 plain text login credentials . Yahoo today confirmed 400,000 of its accounts were hacked, though it emphasized less than 5 percent of the credentials are valid . You can check whether your account was compromised here: Sucuri.

When you have 450,000 passwords, you can do a bit of analysis. ESET used the password analyser Pipal to compile some statistics (full data dump available on Pastebin).

First off, there were apparently only 442,773 passwords, contrary to the previously reported number I mentioned above. Secondly, 342,478 of them were unique, meaning that 100,295 passwords, or 22.65 percent of the total, were used by more than one person.

Here are the top 10 passwords from the Yahoo hack:

123456 = 1666 (0.38%) password = 780 (0.18%) welcome = 436 (0.1%) ninja = 333 (0.08%) abc123 = 250 (0.06%) 123456789 = 222 (0.05%) 12345678 = 208 (0.05%) sunshine = 205 (0.05%) princess = 202 (0.05%) qwerty = 172 (0.04%)

Here are the top 10 base words from the Yahoo hack:

password = 1373 (0.31%) welcome = 534 (0.12%) qwerty = 464 (0.1%) monkey = 430 (0.1%) jesus = 429 (0.1%) love = 421 (0.1%) money = 407 (0.09%) freedom = 385 (0.09%) ninja = 380 (0.09%) writer = 367 (0.08%)

Here are the top 10 e-mail address domain names:

yahoo.com (31.07%)

gmail.com (24.14%)

hotmail.com (12.45%)

aol.com (5.76%)

comcast.net (1.93%)

msn.com (1.44%)

sbcglobal.net (1.17%)

live.com (0.97%)

verizon.net (0.68%)

bellsouth.net (0.64%)

If you have a Yahoo account, you should change your password, just to be on the safe side. Furthermore, if you use the same e-mail address and password combination elsewhere, you should change it there as well.

Update on July 13 - Yahoo fixes flaw behind 450,000 account hack

See also: