Yahoo Voices Breach, victim of SQL injection.

by Hongde H
The article I read this week is about one of  the latest tech company, Yahoo got hacked by SQL injection that exposes 453,000 passwords. According to TrustedSec , the exposed passwords contained a wide variety of email addresses including those from yahoo.com, gmail.com, aol.com, and much more. TrustedSec also pointed out that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public.

Moreover, a hacker group calling itself D33ds posted the passwords and a host of associated email addresses online after the hack and they claimed to have used a Union-based SQL injection to steal the data, posting it online as a “wake-up call”.

SQL injection is the most dangerous hacking techniques out there. With SQL injection, a malicious attack can drop you a table or even a whole database in a few seconds and with a very simply command through your website.

I choose this article is because we are learning SQL. While learning and using SQL to help us finish our work in an efficient way, we should also beware of there are hackers unethically making use of it in certain perspectives.

Besides the purpose of “wake-up call” of the SQL problem we have been facing and solving for decades, we should all raise our attention on what we can do to protect ourselves.  For example, as an SQL user, we might want to focus on things we can do to better prevent our database from SQL injection such as things to be done at the code level to prevent SQL injection. As an enterprise, ones might want to encrypt password information, create rules to filter input field contents on publicly-facing web sites to reduce the impact of SQL injections, and install and maintain security appliances to protect those zones. As an individual, ones might want to change password regularly and make his/her password stronger by making good use of letter caps, letters, numbers…etc.

Source: Chloe Albanesius  (July 12, 2012) ” Yahoo Voices Breach Exposes 453,000 Passwords”

Retrieve from: http://www.pcmag.com/article2/0,2817,2407015,00.asp

5 thoughts on “Yahoo Voices Breach, victim of SQL injection.

  • November 11, 2012 at 3:39 pm
    Permalink

    Great article. It really amazes me how these big named companies can lose so much vital and private information. I recently read an article about how some of the auditing to find hole in SQL queries are accomplished, and it seems like a lot of work. However, I would think larger organizations would have the resources to prevent things like this from happening. Once again thanks for the post, and I am definitely interested in find out how exactly this breach was accomplished.

  • November 11, 2012 at 6:49 pm
    Permalink

    SQL injections have been the talk about in many of the articles this week and I found it very interesting that even big companies such as Yahoo are even affected by it. The amount of valuable in information that was exposed to hackers, 400k, amazes me. This just goes to show the vulnerability of a widely used database management system that is SQL and I hope that there can by a change in the security to prevent events such as this from happening in the future.

  • November 11, 2012 at 7:27 pm
    Permalink

    Interesting Article Hoang, my article also had to do with sql injections, maybe if Yahoo had used Honeypots or Dorks they could have trapped the hacking group and stopped them in their tracks. It is truly sad to see stories like this but it is a good thing that the security side is evolving and fighting back. If you are interested in learning what Honeypots and Dorks are, check out my blog this week.

    • November 11, 2012 at 10:12 pm
      Permalink

      Hong*

  • November 11, 2012 at 9:34 pm
    Permalink

    Thanks for sharing your article as it prompted me to search for an article on how to prevent SQL injection attacks. After my research, I found the” SQL Injection Preventioin Cheat Sheet” put out by The Open Web Application Security Project (OWASP). You can find it at this url: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet. I think what it comes down to is good coding techniques and validation on any input from the user to deter most hackers.

Comments are closed.