Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Compromised Yahoo Servers Using Shellshock Bug

Posted by samzenpus on from the protect-ya-neck dept.

wiredmikey writes Hackers were able to break into some of Yahoo's servers by exploiting the recently disclosed Shellshock bug over the past few weeks. This may be the first confirmed case of a major company being hit with attacks exploiting the vulnerability in bash. Contacted by SecurityWeek, a Yahoo spokesperson provided the following statement Monday afternoon: "A security flaw, called Shellshock, that could expose vulnerabilities in many web servers was identified on September 24. As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network. Last night, we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data. We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."

3 of 69 comments (clear)

  1. Consequences for treating employees like garbage by Anonymous Coward · · Score: 2, Interesting

    Yahoo treats their employees like garbage. To wit, Yahoo uses "stacked ratings" which results in backstabbing and good employees getting fired.

    When Yahoo's employees are spending all their time making sure someone else gets fired when the next employee reviews are made, instead of actually being able to do their job, it comes as no surprise that basic crap like updating security on servers falls by the wayside.

  2. I thought by Anonymous Coward · · Score: 0, Interesting

    Yahoo used FreeBSD, and the default shell is not BASH. And if they are using FreeBSD, why would you change the default shell away from tcsh unless it was to zsh? Just curious...

  3. Re:Baaaa! by dunkindave · · Score: 4, Interesting

    No, the real problem is this is the same response you would get from a company no matter what happened so it is meaningless. You screwed up but don't want to admit it? Say you are committed to security and it was a fluke. It really was a one time fluke by someone exploiting a near-zero-day? Say you are committed to security and it was a fluke. You deliberately sold out your customers and someone noticed their info was in the wild? Say you are committed to security and it was a fluke. Since it is always the same no matter what happened, what real use is the statement? Yes, I know it is to persuade those who don't know better.