Nearly Half a Million Yahoo Passwords Leaked [Updated] 233
An anonymous reader writes "Some 450,000 email addresses and associated unencrypted passwords have been dumped online by the hacking collective 'D33Ds Company' following the compromise of a Yahoo subdomain. The attackers said that they managed to access the subdomain by leveraging a union-based SQL injection attack, which made the site return more information that it should have. According to Ars Technica, the dump also includes over 2,700 database table or column names and 298 MySQL variables retrieved during the attack."
Update: 07/12 20:03 GMT by T :Reader techfun89 adds this update: "Yahoo has confirmed that the usernames and passwords of more than 400,000 accounts were stolen from their servers earlier this week and that data was briefly posted online. The information has since been removed but it wasn't just credentials for Yahoo, but also Gmail, AOL, Comcast, Hotmail, MSN, SBC Global, BellSouth, Verizon and Live.com as well."
Ah, injection attacks.. (Score:5, Interesting)
when will people ever learn? And not just SQL injection attacks. I had to actually write a destructive exploit for a popen injection attack on a MMORPG before the rest of the dev team would believe me that it was a serious vulnerability (it had code that if you said a URL, people could click on it... except they were just passing what the user wrote to popen, tacked to the end of your browser-launch string). People just never seem to wrap your head around the fact that you never use raw user input for anything that a parser will look at, at any point in time!
Here's probably the funniest discussion thread on injection attacks [thedailywtf.com], ever.
File (Score:5, Interesting)
Does anyone have a link to the leak? You know, I want to check if my password was leaked.
common security pratics ? (Score:5, Interesting)
Seems to be common pratics that sites store plaintext password this days, one would think the programmers knew better, is it in an attempt to try and speed optimize things, they leave out hashing ?
Or is there a more sinister reason, someone twisting their arm around.
Re:Ah, injection attacks.. (Score:5, Interesting)
Here's probably the funniest discussion thread on injection attacks [thedailywtf.com], ever.
That is indeed funny, in a most terrifying way!
Re:common security pratics ? (Score:4, Interesting)
That explains things (Score:5, Interesting)
Re:lastpass (Score:5, Interesting)
You're probably right. What's scary is - the government isn't a whole lot better at this stuff. I seem to recall a recent transatlantic telephone conference, involving multiple "intelligence" and/or "enforcement" agencies that was recorded by the very people being discussed.
Yeah, I really want some alphabet soup dude from Washington looking out for my internet security.
Woosh (Score:1, Interesting)
He was just making a joke about the phrase "Users shouldn't have week passwords".
But you are right, of course. Frequent password changes are not good for security.
I imported them into Excel... (Score:4, Interesting)
For your viewing pleasure, here are the top 20 passwords by number of occurrences in the Yahoo hacked set. Enjoy!
Password Count
123456 1673
password 804
welcome 439
ninja 333
abc123 255
123456789 226
princess 216
sunshine 213
12345678 208
qwerty 177
michael 167
writer 166
monkey 165
freedom 164
password1 162
111111 160
iloveyou 142
tigger 136
baseball 136
shadow 134