{"id":3350,"date":"2012-07-16T15:49:15","date_gmt":"2012-07-16T14:49:15","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3350"},"modified":"2015-09-09T19:36:57","modified_gmt":"2015-09-09T11:36:57","slug":"yahoo-voices-hacked-with-sql-injection-passwords-in-plaintext","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2012\/07\/yahoo-voices-hacked-with-sql-injection-passwords-in-plaintext\/","title":{"rendered":"Yahoo! Voices Hacked With SQL Injection – Passwords In Plaintext"},"content":{"rendered":"

There’s been a few HUGE cases of large sites being hacked and exposing either plaintext or extremely poorly encrypted passwords, it happened to LinkedIn not that long ago – and the latest case is of Yahoo!<\/a>.<\/p>\n

It wasn’t the main site, but with almost half a million username and password combos exposed – it’s a fairly large leak. It came from the Yahoo! Voices<\/a> subdomain (Yahoo! Contributor Network) and seems to have been carried out with a fairly basic UNION type SQL Injection<\/a>.<\/p>\n

I imagine the database or old part of the site that powered the Yahoo! Contributor Network was developed way back in history before secure programming was as big (and as prominent) as it is now, and before frameworks took care of most the security nuts and bolts.<\/p>\n

A Yahoo security breach that exposed 450,000 usernames and passwords from a site on the huge web portal indicates that the company failed to take even basic precautions to protect the data.<\/p>\n

Security experts were befuddled Thursday as to why a company as large as Yahoo would fail to cryptographically store the passwords in its database. Instead, they were left in plain text, which means a hacker could easily read them.<\/p>\n

“It is definitely poor security,” Marcus Carey, a security researcher at Rapid7, said. “It’s not even security 101. It’s basic application development 101.”<\/p>\n

Yahoo declined a request for an interview, and only emailed a statement confirming the breach that occurred Wednesday. The company said that an “older file” containing roughly 450,000 user names and passwords was stolen from its Contributor Network, a subset of Yahoo’s massive network of Web sites. Membership in the Contributor Network consists of freelance journalists who write content for Yahoo Voices. The network was established following Yahoo’s 2010 acquisition of Associated Content.<\/p>\n

Less than 5 percent of the stolen data had valid passwords, Yahoo said. “We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised,” the statement said. <\/p><\/blockquote>\n

Yahoo! seemed to have taken action fairly quickly, but still this is a very sloppy example of data security – even if it was an old system and a defunct one at that.<\/p>\n

Unsurprisingly, the top 5 most common passwords in this data set were extremely easy to guess:<\/p>\n