Topic: "D33Ds Company" hacked Yahoo!, now fixed...

[Samker]

Yahoo! has fixed the flaw that allowed hackers to scrape the unencrypted passwords of over 450,000 of its customers' accounts.

"We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of notifying affected users," Yahoo! said in a statement: "In addition, we will continue to take significant measures to protect our users and their data": http://ycorpblog.com/2012/07/13/yahoo-0713201/

The company said the information that was published by members of the hacking group D33Ds Company stemmed from users who had signed up with the Associated Content site before Yahoo! bought it 2010.

If these users try and log into their Yahoo! accounts now they will be asked a series of authentication questions before having to change their data, and Yahoo! is also suggesting other users get into the habit of changing their passwords regularly.

The D33Ds Company hackers claimed that they broke into the corporate database via a simple SQL injection attack, and Yahoo! says that hole is now fixed and additional security procedures have been implemented. One would hope that includes adding password encryption to avoid a similarly embarrassing situation in the future.

(ElReg)

[Pez]

More about this topic !

Latest Yahoo Data Breach Restates Need for Basic Security

News broke today of a large data breach against Yahoo Voices, resulting in more than 400,000 username/password combinations being posted in clear text. The compromise involved a basic SQL-injection attack against an exposed Yahoo server (dbb1.ac.bf1.yahoo.com).  Similar to other recent events, the account data was reportedly stored in an unencrypted state.

We see this type of attack over and over. Most recently LinkedIn and eHarmony were in the news with similar issues. This Yahoo breach is just the latest in a series of similar attacks that occur in multiples every day.

The attack was launched by the D33DS Co., whose release included this:

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure.”
 
D33DS is probably correct in that latter sentence. But are their methods and motivation ethical or legal? That’s a different story. Regardless, Yahoo’s overlooking basic countermeasures against basic attacks (such as SQL injection) cannot be excused.

This is not the first time that Yahoo has been compromised in this way. During the last five years, Yahoo Local Neighbors, Yahoo Kids, Yahoo Classifieds, and others have been successfully targeted.
Ironically, there is a blog on SQL-injection prevention on Yahoo Voices. It was posted in 2009.

What else is interesting about the latest breach?

More than just @yahoo.com usernames and accounts were exposed. If there was ever a time to heed warnings about password reuse, especially across public and high-traffic social systems, this is it. Yahoo may have been the focus of this attack, but data in the dump could be used to target specific users from AOL, Microsoft, Google, Comcast, SBC Global, and others.

Here is a breakdown of associated domains that appear in the D33Ds release:


Lager picture

Yahoo breach Top 20 domains


I’ll leave you with several McAfee resources for understanding SQL injection:

•WebSec 101 – SQL Injection. http://www.mcafee.com/us/resources/audio/transcripts/websec101-sqlinjection-slides.pdf
•McAfee Security Scanner for Databases. http://www.mcafee.com/us/products/security-scanner-for-databases.aspx
•Threat Brief – LizaMoon. http://www.mcafee.com/us/resources/solution-briefs/sb-lizamoon-sql-injection.pdf
•White paper on Real-time Database Monitoring, Auditing, and Intrusion Prevention.  http://www.mcafee.com/us/resources/white-papers/wp-real-time-database-monitoring.pdf

Orginal article: Thursday, July 12, 2012 at 2:11pm by Jim Walter