Yahoo! hack! leaks! 453,000! unencrypted passwords!
UNION ALL SELECT here, we, go, again FROM passwords
A Yahoo! service has apparently succumbed to a simple database attack that leaked 453,000 unencrypted account passwords online.
A huge document containing the lifted SQL structures, software variables, usernames and cleartext passwords was linked to from a web forum. In the file, the hackers described the break-in as "a wake-up call and not a threat".
The data dump included the hostname
dbb1.ac.bf1.yahoo.com, which is associated with the blog-like service Yahoo! Voices, TrustedSec reports - although there was some confusion over whether the hacked service was in fact the internet telephone call app Yahoo! Voice.
The compromise was all too typical: a union-based SQL injection attack that tricked the website into handing over more information that it really should, Ars Technica reports. A hacking crew called the D33Ds Company claimed responsibility for the assault.
Security firm Eset has carried out a preliminary statistical analysis of the leaked credentials here. A disappointing - but not surprising - number of the exposed passwords included, er, "password", "welcome", "Jesus" and "ninja".
It's unclear why Yahoo! Voices was storing unencrypted passwords in its backend database - unsalted one-way encrypted hashes would have been bad enough. ®