Korg Poly800/EX800 Users group photo

Yahoo Groups archive

Korg Poly800/EX800 Users

Index last updated: 2026-04-05 20:10 UTC

Message

Re: [korgpolyex] Yahoo flaw - server or client side?

2013-02-08 by Michael Hawkins

My point was that the password is unique. I never use the same password for any Internet login. Making your passwords obscure does help when determining the method by which an account is hacked.

I still am yet to find any genuine story where large numbers of passwords (>1000) were sniffed. It's just not feasible to do so in any decent large ISP. So for example, if you're in the domestic US (and I would posit, any western country) it's extremely unlikely anyone will ever sniff more than a handful of passwords. So this yahoo hack certainly isn't that.

What I am hearing (through the channels that I have access to) confirms my theory. Yahoo has some kind of a serious server side vulnerability that is allowing spammers to hijack accounts WITHOUT needing the users passwords. One of my yahoo email accounts was the source of spam but my password was not changed, I wasn't logged in at all when the spam was sent, I only ever log in to that Yahoo account using a LINUX machine and my password is a unique MD5 alphanumeric hash. The fact that I use a hash doesn't make it more secure but it does help to confirm that the hacking was server side. 

Mike




________________________________
 From: Gordon JC Pearce <gordon@...>
To: korgpolyex@yahoogroups.com 
Sent: Friday, February 8, 2013 8:06 AM
Subject: Re: [korgpolyex] Yahoo flaw - server or client side?
 

  
On 08/02/13 03:14, Michael Hawkins wrote:

> I say this because I work in networks and information security and even
> my yahoo email was used to send spam. Now, I use MD5 hashes as my
> passwords, so they are all unique and very near impossible to guess. I

Aww, looks like I got something wrong.  I wanted to make the point that 
it's generally fairly easy to spoof email senders, but I suspect I got 
filtered by Yahoo! Groups.

Anyway, md5 hashes of what?  Do you mean your password is a longish 
string of alphanumerics?  That doesn't guarantee that the password is 
secure.  Unless you're using SSL it's fairly easy for a malicious user 
on your network to sniff your passwords (but not as easy as people make 
it out to be in the general case).  This is why Kerberos is such a 
complicated bugger to work out...

-- 
Gordonjcp MM0YEQ

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.