Yahoo! hack! leaks! 453,000! unencrypted passwords!
UNION ALL SELECT here, we, go, again FROM passwords
A Yahoo! service has apparently succumbed to a simple database attack that leaked 453,000 unencrypted account passwords online.
A huge document containing the lifted SQL structures, software variables, usernames and cleartext passwords was linked to from a web forum. In the file, the hackers described the break-in as "a wake-up call and not a threat".
The data dump included the hostname
dbb1.ac.bf1.yahoo.com, which is associated with the blog-like service Yahoo! Voices, TrustedSec reports - although there was some confusion over whether the hacked service was in fact the internet telephone call app Yahoo! Voice.
The compromise was all too typical: a union-based SQL injection attack that tricked the website into handing over more information that it really should, Ars Technica reports. A hacking crew called the D33Ds Company claimed responsibility for the assault.
Security firm Eset has carried out a preliminary statistical analysis of the leaked credentials here. A disappointing - but not surprising - number of the exposed passwords included, er, "password", "welcome", "Jesus" and "ninja".
It's unclear why Yahoo! Voices was storing unencrypted passwords in its backend database - unsalted one-way encrypted hashes would have been bad enough. ®
They stored unencrypted passwords? Really?
I'm a feckin' moron and even I don't store unencrypted passwords!
BigYin standard fine should apply (£1,000 per breach) and in this case that's a x5 multiplier due to the seriousness. So Yahoo! should pay £2.265 billion to the relevant authorities. Recovery should begin by asset-stripping the directors.
OK, the above is OTT but the general point applies; only by making the directors directly liable will anything change. Applies to banks etc too.
Re: Wait, what?
"They stored unencrypted passwords? Really? I'm a feckin' moron and even I don't store unencrypted passwords!"
There's a time and a place for language like "feckin' moron" and this was it.
Re: Wait, what?
Yes, I suspect labelling this as criminal negligence is the only way corporations are really going to change their ways of thinking from "meh, we don't care about security as long as it isn't too obviously atrocious and we can roll out the 'never been hacked, one time occurrence, no evidence of serious loss, learn from these mistakes' PR blah when things go wrong" to "I'd better make sure my loyal henchmen really secure this environment because I don't want to go to jail or face a massive fine".
Another sentence here to show I can write shorter ones ;)