The top 10 passwords from the Yahoo hack: Is yours one of them?

The top 10 passwords from the Yahoo hack: Is yours one of them?

Summary: Imagine a list of 450,000 user passwords ordered from the most popular to the least popular. Can you guess the 10 most popular passwords? Here, I'll give you the first one: 123456. Bonus: here's how to check if your account was hacked.

SHARE:
TOPICS: Security
19

Update on July 13 - Yahoo fixes flaw behind 450,000 account hack

The top 10 passwords from the Yahoo hack: Is yours one of them?
Yesterday the hacker group D33ds Company claimed responsibility for attacking a Yahoo service and exposing 453,492 plain text login credentials. Yahoo today confirmed 400,000 of its accounts were hacked, though it emphasized less than 5 percent of the credentials are valid. You can check whether your account was compromised here: Sucuri.

When you have 450,000 passwords, you can do a bit of analysis. ESET used the password analyser Pipal to compile some statistics (full data dump available on Pastebin).

First off, there were apparently only 442,773 passwords, contrary to the previously reported number I mentioned above. Secondly, 342,478 of them were unique, meaning that 100,295 passwords, or 22.65 percent of the total, were used by more than one person.

Here are the top 10 passwords from the Yahoo hack:

  1. 123456 = 1666 (0.38%)
  2. password = 780 (0.18%)
  3. welcome = 436 (0.1%)
  4. ninja = 333 (0.08%)
  5. abc123 = 250 (0.06%)
  6. 123456789 = 222 (0.05%)
  7. 12345678 = 208 (0.05%)
  8. sunshine = 205 (0.05%)
  9. princess = 202 (0.05%)
  10. qwerty = 172 (0.04%)

Here are the top 10 base words from the Yahoo hack:

  1. password = 1373 (0.31%)
  2. welcome = 534 (0.12%)
  3. qwerty = 464 (0.1%)
  4. monkey = 430 (0.1%)
  5. jesus = 429 (0.1%)
  6. love = 421 (0.1%)
  7. money = 407 (0.09%)
  8. freedom = 385 (0.09%)
  9. ninja = 380 (0.09%)
  10. writer = 367 (0.08%)

Here are the top 10 e-mail address domain names:

  • yahoo.com (31.07%)
  • gmail.com (24.14%)
  • hotmail.com (12.45%)
  • aol.com (5.76%)
  • comcast.net (1.93%)
  • msn.com (1.44%)
  • sbcglobal.net (1.17%)
  • live.com (0.97%)
  • verizon.net (0.68%)
  • bellsouth.net (0.64%)

If you have a Yahoo account, you should change your password, just to be on the safe side. Furthermore, if you use the same e-mail address and password combination elsewhere, you should change it there as well.

Update on July 13 - Yahoo fixes flaw behind 450,000 account hack

See also:

Topic: Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • suprising!

    12345 is not in the top 10?!?
    Jean-Pierre-
    • Don't most places, yahoo included

      require the PW to be 6 characters long, min.?
      William Farrel
      • Though ninja is in the top 10

        With only 5 characters...

        Also, does nobody use caps in password or is the list not cap sensitive?
        lepoete73
  • Why is no one questioning why the passwords were plain text?

    LinkedIn was getting slam dunked a few weeks ago for having hashed passwords hacked. Why am I guessing that Yahoo won't get half the scrutiny?
    Michael Kelly
  • Longer is better

    Which I why I chose: ninjaprincess
    davebarnes
    • sheesh...

      now I have to change my ninja123456 password? oy that sucks.
      Badgered
  • Glad to see monkey made it

    Always a winner.
    klumper
    • Interesting why people are using word monkey?

      Out of other options... why not mouse? :)
      Tomas M.
  • how can sucuri get the list of emails?

    who is sucuri anyway.. is this some kind of spam scam to get email addresses?
    rabbids-1d765
  • One of those looks similar to what President Skroob used...

    sorry for the esoteric comedy reference...
    HypnoToad72
  • Not so bad

    First thought "damned ! how can so many people still use "123456" as a password !".
    But i reality, despite the top1 rank, it represents only 0.3% of them.
    This means that a minority of people still don't understand/care.
    SebFR
  • Its not the passwords its the DB structure

    again they are trying to blame peoples passwords for the hack peoples inane or stupid passwords is NOT hwo the hackers gained access to the database that was done by injecting sql join code via text fields on a form whose form fields were not sanitized against attack Shame on Yahoo and Shame On LinkedIN LastFM et al hire some real security Gurus and some Database managers who are worth a shit
    KineticArtist
  • Check if your Yahoo account was hacked! - http://bit.ly/LliWnQ

    Check if your Yahoo account was hacked! - http://bit.ly/LliWnQ
    TechPlusBlog
  • Interestingly enough...

    I've been using the same password for a couple of years now for the favourite casual/hobby sites I belong to and haven't have it guessed/hacked/stolen yet.

    Of course, I use different passwords for each of my "social"/networking sites (e.g. Yahoo, Facebook, LinkedIn, et al) based on numerals, symbols, and non-English cursewords.... ;)

    For sensitive sites such as my bank and web-based stores, I use a password that my brother ginned up for me (he is a retired code wallah). And yes, I admit that I am (as is everyone on line) vulnerable to having my password stolen by a successful break in such as the Yahoo one.

    You pays your money and you takes your chances, eh?
    RangerJimK
  • tip

    For my password I'm always using a basic part, and extend it with a combination of letters from the URL where I create the account. Eg. for google it could be [fixedpart][goo] (-->first three letters). For facebook it would be [fixedpart][fac].

    Also possible to put it in front, the middel, add a number at the back etc... Works really well for me though.
    sandervessies
  • zilch

    My team & I offer the best hacking services.We can hack/recover any email id,mobile phone,FACEBOOK & website servers & grant our clients access.Send me a mail "zilchex@gmx.com".We try to reply every client ASAP & execute the project in the quickest time-frame possible.

    #Patience is the first weapon!#
    zilchex
  • Trick

    My team & I offer the best hacking services.We can hack or recover any email id,mobile phone,FACEBOOK & website servers & grant our clients access..We always provide proof before payment so you know you are not being ripped off.Send me a mail "Trickdp0ison@YAHOO.COM".We try to reply every client ASAP & execute the project in the quickest time-frame possible.


    Need to obtain a lost email? Got that girlfriend that you are suspicious of cheating? The team at Trickdp0ison@YAHOO.COM can solve your problems and your email needs! Just send them an email.
    Ray112
  • hack helper

    For online based problems please contact this email
    ---> ihacc4u @ yahoo . com . au we are a HACK
    group out here 2 help you solve problems for you.we hack social networking
    accounts like FACEBOOK,TWITTER,SKYPE,INSTAGRAM ,MYSPACE,GOOGLE+.hack various
    emails (yahoo ,gmail ,aol,msn) ,we also hack websites and remove links,hack
    phones (whatsapp,textmessages,call logs) we also perform result upgrades,sell
    and deploy keylogger,contact us today we are ready to work for the public now , VISIT OUR WEBSITE === WWW . ihacc4u . COM FOR MORE DETAILS
    Andrew James
  • can help you hack

    For online based problems please contact this email
    ---> ihacc4u @ yahoo . com . au we are a HACK
    group out here 2 help you solve problems for you.we hack social networking
    accounts like FACEBOOK,TWITTER,SKYPE,INSTAGRAM ,MYSPACE,GOOGLE+.hack various
    emails (yahoo ,gmail ,aol,msn) ,we also hack websites and remove links,hack
    phones (whatsapp,textmessages,call logs) we also perform result upgrades,sell
    and deploy keylogger,contact us today we are ready to work for the public now , VISIT OUR WEBSITE === WWW . ihacc4u . COM FOR MORE DETAILS thanks
    Andrew James