Slashdot Mirror
Nearly Half a Million Yahoo Passwords Leaked [Updated]
An anonymous reader writes "Some 450,000 email addresses and associated unencrypted passwords have been dumped online by the hacking collective 'D33Ds Company' following the compromise of a Yahoo subdomain. The attackers said that they managed to access the subdomain by leveraging a union-based SQL injection attack, which made the site return more information that it should have. According to Ars Technica, the dump also includes over 2,700 database table or column names and 298 MySQL variables retrieved during the attack."
Update: 07/12 20:03 GMT by T :Reader techfun89 adds this update: "Yahoo has confirmed that the usernames and passwords of more than 400,000 accounts were stolen from their servers earlier this week and that data was briefly posted online. The information has since been removed but it wasn't just credentials for Yahoo, but also Gmail, AOL, Comcast, Hotmail, MSN, SBC Global, BellSouth, Verizon and Live.com as well."
when will people ever learn? And not just SQL injection attacks. I had to actually write a destructive exploit for a popen injection attack on a MMORPG before the rest of the dev team would believe me that it was a serious vulnerability (it had code that if you said a URL, people could click on it... except they were just passing what the user wrote to popen, tacked to the end of your browser-launch string). People just never seem to wrap your head around the fact that you never use raw user input for anything that a parser will look at, at any point in time!
Here's probably the funniest discussion thread on injection attacks, ever.
sed "s/SJW.*$/... never mind. I was about to say something stupid, and also, I'm a troglodyte./Ig"
Does anyone have a link to the leak? You know, I want to check if my password was leaked.
I sure wish these dumbasses would learn to secure their shit. SQL injection AGAIN? There's just no damned excuse for it.
This isn't hard to test for. Hell this isn't hard to guard against. This is a "oh I'll just shoot myself in the foot now, ah-hyuk! *BANG* Ow that hurts what happened?" type of negligence.
If the incompetent designers don't get their shit together you're going to see gov't get involved. All it would take is for a hack to finally affect the "right" people. Nobody wants that except gov't.
Seems to be common pratics that sites store plaintext password this days, one would think the programmers knew better, is it in an attempt to try and speed optimize things, they leave out hashing ?
Or is there a more sinister reason, someone twisting their arm around.
So, the republicans are right. Unions are evil. ;)
"For I desired mercy, and not sacrifice" -- God
http://d33ds.co/archive/yahoo-disclosure.txt
Slashdotted, more info here:
http://dazzlepod.com/yahoo/
SQL Injection, in this day and age?
Fuck yahoo, fuck the cloud, fuck all the big providers...
Several people have made similar comments. What worries me is that they are not also slamming them for storing passwords in plaintext AGAIN. User passwords should not be stored anywhere on the system. You store a salt and hash of the password - this is fine for login, but fairly useless for hackers should they get it.