Takeaway: Hackers have posted 450K Yahoo email addresses and passwords online, and hint Gmail, Hotmail, other services are next. How can you check if your users’ accounts are among them?

Hackers posted more than 400,000 Yahoo Voice and email names and passwords and the posting might not be over yet.

Yahoo reps say they are working on the compromised system–not great timing for a beleaguered company enduring what Yahoo chair Alfred Amoroso called a “tumultuous” time for the company. The firm apologized in an online statement and did not comment further at this writing.

Not a Yahoo user? IT pros and security experts worry this most recent hack on Yahoo – allegedly perpetrated by a group calling itself d3dd3 – is likely “way bigger than Yahoo,” said Marcus Carey, in a Reuters report. Hotmail, MSN, Live, Gmail and other personal services are at risk, too, he said.

NOTE: If you want to check your own or other users’ Yahoo emails to see if they are part of the current leak, there’s an easy way to check here at Sucuri Malware Labs. Just type in the email address and search.

Plan for next time

Change passwords. Consider training customers on utilities like Lastpass. IT pros we interviewed across the board said users in enterprises who use open cloud-based email services, or other non-enterprise communication methods like Skype or Google Groups, should, at the very least, be using such utilities, which provide more control and protection in case of events like this one.

With so much data potentially compromised via users relying on such BYOD services as these, “the process (to avoid future attacks) is much easier if (users) have Lastpass,” said John Livingston, a tech pro for the American Red Cross in Savannah, Georgia. “Time to change your Yahoo, Google, Hotmail, and AOL passwords. And with LastPass, each site and service has a unique password, which limits damage if the password does get out. Changing passwords then is quick and easy. Plus if you’re a manager you don’t have to worry about remembering a new password.”

“Once this clears, I will be changing the passwords for Gmail, even though there’s no confirmation on that (hack) yet,” said Brian Geniesse, who works the IT tech desk at his firm in Monominee, Michigan. “Also be careful. Password managers can be hacked just the same.”

Yahoo is to blame ultimately, most IT pros we interviewed told us.

“Shame on Yahoo for not running normal security audits on (its) networks – and services that would have detected the SQL injection vulnerability (reportedly) used in the attack,” adds Dan Phillips, an IT pro in Cambridge, Ontario, Canada.

Geniesse expanded on that with a message that will resound with most IT pros and CTOs. Most people use weak passwords–see below.

“You can preach the use of LastPass and the like until you are blue in the face but users will never change their habits unless you force them,” Geniesse said. And “Yahoo needs to force some kind of password complexity to help protect their users.”

So many folks are checking the hack post, the hackers allegedly responsible are having trouble maintaining traffic load. Due to high traffic on this group’s site, the page with the Yahoo hacked emails and passwords is going up and down. We caught part of it in a cut and paste.

When it was up earlier today, it read in part:

We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call … not as a threat …

There have been many security holes exploited in webservers belonging to Yahoo … ?that have caused far greater damage than our disclosure (today). Please do not take (the posting) lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage …

The author quotes author Jean Vanier from his book, Becoming Human: “Growth begins when we begin to accept our own weakness,” Vanier wrote.

If you’re a Star Wars, Star Trek or comic book fan, just change your passwords right away, other observers add. And talk your users into it to. Check this out: CNET’s Declan McCullagh wrote a program to analyze the most frequently used passwords using data from the post of 450K email addresses and passwords. He listed:

  • 2,295: The number of times a sequential list of numbers was used, with “123456? by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.
  • 160: The number of times “111111? is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000? is used 71 times.
  • 780: The number of times “password” was used as the password. Apparently, absolutely no thought went into security in these instances.
  • 233: The number of times “password” was used in conjunction with a few numbers behind it. Apparently, the barest minimum of thoughts went into security here.
  • 437: The number of times “welcome” is used. With a password like that, you’re just asking to be hacked.
  • 333: The number of times “ninja” is used. Pirates, unfortunately, didn’t make the list.
  • 137,559: The number of Yahoo credentials that were leaked.
  • 106,873: The number of Gmail credentials that were leaked. Hotmail, which was the next most frequently cited e-mail service, had fewer than half the number of users hit.
  • 161: The number of times “freedom” is used, suggesting a lot of patriotic users. “America” was used 68 times.
  • 161: The number of times the f-word is used in some combination. There are a lot of angry people out there.
  • 133: The number of times “baseball” appears as a password. It’s the most popular sport on the list, proving that it is indeed America’s national pastime. It just may not be the best password.
  • 106: The number of times “superman” is used as a password. That’s nearly double the amount of times “batman” is used and triple the frequency of “spiderman.”
  • 52: The number of times “starwars” is used. The force is not with this password.
  • 56: The number of times “winner” is used.32: The number of times “lakers” appears. It tied with “maverick,” although fortunately “the_heat” or “celtics” weren’t on this list.
  • 27: The number of times “ncc1701? is used as a password. For those of you who aren’t trekkies, that’s the designation code for the Starship Enterprise. “startrek” is used 17 times, while “ncc1701a,” the designation for the Enterprise used in later Star Trek movies, is used 15 times.