Nearly Half a Million Yahoo Passwords Leaked [Updated]

An anonymous reader writes "Some 450,000 email addresses and associated unencrypted passwords have been dumped online by the hacking collective 'D33Ds Company' following the compromise of a Yahoo subdomain. The attackers said that they managed to access the subdomain by leveraging a union-based SQL injection attack, which made the site return more information that it should have. According to Ars Technica, the dump also includes over 2,700 database table or column names and 298 MySQL variables retrieved during the attack." Update: 07/12 20:03 GMT by T :Reader techfun89 adds this update: "Yahoo has confirmed that the usernames and passwords of more than 400,000 accounts were stolen from their servers earlier this week and that data was briefly posted online. The information has since been removed but it wasn't just credentials for Yahoo, but also Gmail, AOL, Comcast, Hotmail, MSN, SBC Global, BellSouth, Verizon and Live.com as well."

File here:

http://d33ds.co/archive/yahoo-disclosure.txt

Slashdotted, more info here:
http://dazzlepod.com/yahoo/

SQL Injection, in this day and age?

Fuck yahoo, fuck the cloud, fuck all the big providers...

Re:File

http://it.slashdot.org/comments.pl?sid=2974701&cid=40627163

Re:Plaintext passwords again?

SQL injection AGAIN? There's just no damned excuse for it.

Several people have made similar comments. What worries me is that they are not also slamming them for storing passwords in plaintext AGAIN. User passwords should not be stored anywhere on the system. You store a salt and hash of the password - this is fine for login, but fairly useless for hackers should they get it.

You don't store just any hash, you should store one that is expensive to compute, by using PBKDF2, bcrypt, scrypt or similar.