Yahoo! hack! leaks! 453,000! unencrypted passwords!
UNION ALL SELECT here, we, go, again FROM passwords
Posted in Security, 12th July 2012 10:48 GMT
Watch Now : Virtual Machine Movement with Hyper-V
A Yahoo! service has apparently succumbed to a simple database attack that leaked 453,000 unencrypted account passwords online.
A huge document containing the lifted SQL structures, software variables, usernames and cleartext passwords was linked to from a web forum. In the file, the hackers described the break-in as "a wake-up call and not a threat".
The data dump included the hostname dbb1.ac.bf1.yahoo.com, which is associated with the blog-like service Yahoo! Voices, TrustedSec reports - although there was some confusion over whether the hacked service was in fact the internet telephone call app Yahoo! Voice.
The compromise was all too typical: a union-based SQL injection attack that tricked the website into handing over more information that it really should, Ars Technica reports. A hacking crew called the D33Ds Company claimed responsibility for the assault.
Security firm Eset has carried out a preliminary statistical analysis of the leaked credentials here. A disappointing - but not surprising - number of the exposed passwords included, er, "password", "welcome", "Jesus" and "ninja".
It's unclear why Yahoo! Voices was storing unencrypted passwords in its backend database - unsalted one-way encrypted hashes would have been bad enough. ®
Send corrections
Top 10 SIEM implementer’s checklist
The new Office Garage series:
IT infrastructure monitoring strategies
Data control in the cloud
