Yahoo and Billabong Password Dumps Analyzed

Thursday, July 19, 2012

Dan Dieterle


Wow, not one, but two password dumps in one day. Hackers leaked a very large number of Billabong and Yahoo passwords in plain text with no need to try to crack them.

We looked at the passwords using the analysis tool Pipa.

Yahoo Dump Analysis

This one is huge, almost 450,000 users. Though from numerous reports most of these accounts leaked were not active, the latest reports are saying that many of the included cracked accounts were passwords to other sites. According to ABC News:

Some of the Yahoo Voices’ accounts listed email addresses with AOL, Gmail, Hotmail and Windows Live. Security firm Sucuri said that more than 100,000 Gmail addresses were included in the breach.”

(click image to enlarge)

And take into account that many people never change their passwords or use the same password at multiple sites and this is very concerning. Well, let’s go ahead and take a look at the dump as analyzed with Pipal.

Here are the top 7 Password Lengths:

The Complexity of the Passwords:

And Character Sets Used:

And as always, for some odd reason the password “monkey” always seems to show up in the top 10 lists. But this time it did not make it as a top 10 password:

It seems to have been supplanted by the password “0″. Two hundred and two people actually used “0″ as a password!

Okay for the record, “monkey” was not a complete no-show. It was one of the top 10 base words!

It beat out Jesus, love, money and ninja!

All joking aside, what is bothersome is that some of the passwords leaked are pretty good passwords.

Check these out:

  • $coreS1BgM0rsl4me
  • $r87*CQG>36rkM

These would have taken a long time to crack if they had to be cracked manually. But here is the kicker, as the database that held the passwords was compromised via SQL injection, the hackers were able to grab the contents of the entire database.

It doesn’t matter that some of the users had 17 character+ complex passwords. There was a web application security issue that led to the entire account database being dumped.

This really should drive home the fact of using good security measures at the network and especially the application server levels.

Billabong Dump Analysis

(click image to enlarge)

Over 20,000 passwords, supposedly leaked from Billabong have been floating around. And as usual, I like to grab the passwords and analyze them for patterns. So I took 21,435 of them and ran them through the password analysis program Pipal.

Here are the top 7 Password Lengths:

The Complexity of the Passwords:

And Character Sets Used:

And finally, and most importantly, the question that we always ask and the one that everybody wants to know.

Was “Monkey” one of the top passwords?

The answer is….


Pfhew, had us worried there. It slipped down to #10 – but as usual in password dumps – along with the company name, “password”, and “12345″ – our favorite password “monkey” is there!

Cross-posted from Cyber Arms

Possibly Related Articles:
Network Access Control
Information Security
Passwords Yahoo Access Control Login Analysis Data Dump Pipal Billabong
Post Rating I Like this!
Johnny Cash Old fashioned carder I have only Australia dumps 101 with PIN.
Please do no ask about anything else.
Good prices, first 15 get 1+1 FREE. PayPal available.
COntact at
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.