Hackers posted what appear to be login credentials for more than 453,000 user accounts that they said they retrieved in plaintext from an unidentified service on Yahoo.
The dump, posted on a public website by a hacking collective known as D33Ds Company, said it penetrated the Yahoo subdomain using what's known as a union-based SQL injection. The hacking technique preys on poorly secured web applications that don't properly scrutinize text entered into search boxes and other user input fields. By injecting powerful database commands into them, attackers can trick back-end servers into dumping huge amounts of sensitive information.
To support their claim, the hackers posted what they said were the plaintext credentials for 453,492 Yahoo accounts, more than 2,700 database table or column names, and 298 MySQL variables, all of which they claim to have obtained in the exploit.
3:42 pm on Jul 12, 2012 (gmt 0)
#*$!, I tried one hacked yahoo account and it worked :(
I am changing my password and hoping they won't get it again.
brotherhood of LAN
4:02 pm on Jul 12, 2012 (gmt 0)
That's pretty huge. I logged into one too.
Not only is the Yahoo account compromised, but any other service the users use... you can use the 'forgot password' function to retrieve their social accounts, check their account info for location etc. Yahoo should disable all of those accounts pronto.
4:47 pm on Jul 12, 2012 (gmt 0)
Stuff like this isn't just inexcusable, it's pure incompetence.
If a large corporation like Yahoo can't have a uniform data security policy that mandates all input fields are properly testing before being accepted from the web they get what they deserve for sloppy management.
What makes this so silly is that one simple script could prefix all pages site wide and iterate all GET and POST variables and either filter or reject any garbage. You don't really need to code it field by field, it can be done universally for all pages with one lousy include per page.
There should be a small security team assigned to keeping this stuff updated and verifying (scanning) that it's implemented across the board.
Maybe I should go apply for the security managers job because if they don't have one they'll need one and if they do have one they'll need a better one.
Things like this really irk me, I am so seriously irked right now you have no idea.
5:55 pm on Jul 12, 2012 (gmt 0)
The problem is not that you need to change your Yahoo password. It's that you HAVE a yahoo password.
8:32 am on Jul 13, 2012 (gmt 0)
Yahoo has other security issues too.
When LOGGED OUT of Yahoo! the little icons in the corner still tell me how many emails I have. The site is identifying me regardless which, in turn, provides an avenue to gather information without being logged in. Anyone spoofing my IP and/or retrieving my Yahoo cookies can see how many emails I have waiting, as well as my log in name.
8:47 am on Jul 13, 2012 (gmt 0)
I thought internet security is meant to improve? =]
8:48 am on Jul 13, 2012 (gmt 0)
It's not just yahoo email addresses that were revealed, ALL types of email addresses are on the list including Gmail etc, any email that was used to log in appears on the list, from any service.