Money Matters - Simplified

Yahoo site hacked, 450K passwords posted online

The hackers appear to have executed the breach through SQL injection, one of the most primitive and common methods of attack.

In the latest security breach, hackers infiltrated Internet search company Yahoo, accessing sensitive information from within the database.

A hacker group, known as D33Ds Company reportedly stole nearly half a million of its users’ email addresses and passwords and published them online.

The hacked content posted for public access includes plaintext credentials for 453,492 Yahoo accounts, more than 2,700 database table or column names, and 298 MySQL variables.

Security firm Trusted Sec, the first to report the breach stated, “The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public.”

The servers appear to have been compromised by the D33Ds Company with the intention of warning Yahoo for lax security.

SQL injection attack
The hackers appear to have executed the breach through SQL injection. The technique, one of the most primitive and common methods of attack, can successfully exploit vulnerable websites that “don't properly scrutinize text entered into search boxes and other user input fields."

The process can be used to trick the servers to submit huge amounts of sensitive information at the data base layer. The servers appear to have been compromised with the intention of warning Yahoo for lax security.

A brief note by the D33Ds Company accompanying the leaked file stated, “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”

Yahoo Voices compromised?
It is still ambiguous which service was infiltrated. The TrustedSec blog is reporting that details were retrieved from Yahoo Voice, the company’s service that pays freelance writers for content.

There are still others who believe the target was Yahoo Voices (with s) which is the company’s user-generated content service.

Given that many users use the same password for multiple services within one provider, its best to change the password.