and the Hacker strike again. This time they hit Yahoo! Voices Service which is a service that helps writers, photographers and videographers to sell their work over the Web.
A group called D33DS Co released over 450 000 email and password in cleartext as announced in a Tweet:
The leak itself is not significant compared to the 97 million Yahoo! users, however D33DS Co. is said that the motivation behind this was to serve as a wake-up call for Yahoo! Inc. to re-evaluate their security policy.
In the disclosure D33Ds Co. stated that “the vulnerable parameters used in the SQL injection attack will not be revealed to avoid further damage to Yahoo! Inc. “
Who was compromised ?
What is interesting to note is that amongst the list of companies there are logins for Google, Microsoft and AOL who confirmed that this hack included valid passwords for 1,699 accounts . The three companies said they required affected users to reset passwords for sites including Gmail, AOL, Hotmail, MSN and Live.com
How was this hack achieved ?
This service was hacked with a simple SQL Injection attack. This is where the hacker finds an online form and instead of completing it with the requested information the hacker puts into it their own SQL string. When the form is submitted, the server interprets the information submitted as being part of the code and returns results that are not meant to be seen.
It is relatively simple to protect against this type of attack where the developer identifies if someone has used certain known characters. If these characters are found, then the code does not execute.
[More info on How to prevent SQL Injections]
Encryption of the information in the Database would also provide the additional level of security of knowing that if your information was somehow exposed, it is not in cleartext and much added effort is required to reveal that info.
According to an analysis by anti-virus software maker ESET, the four most popular passwords in the group were:
so if you are guilty of having one of these passwords – go and change it now…before you land on on the next list.
by the way: www.Yahoo.com (just in case…)