Threat Level: green Handler on Duty: Richard Porter

SANS ISC: InfoSec Handlers Diary Blog - Yahoo service SQL injection vuln leads to account exposure InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Yahoo service SQL injection vuln leads to account exposure

Published: 2012-07-13
Last Updated: 2012-07-13 18:23:40 UTC
by Russ McRee (Version: 1)
2 comment(s)

We're a bit slow on the uptake given SANSFIRE, but as you are likely well aware, a SQL injection vulnerability was leveraged to gain access to the Yahoo Voice service which was utilized by attackers to acquire then post login credentials for more than 453,000 user accounts that they said they retrieved in plaintext.

You can download and review the account list for account that may impact you or your organizations here: http://74.208.161.170:81/yahoo-disclosure.tar.gz
 
Related stories:
 
Password analysis of the account list proved what we've all come to expect. "The top five passwords in the stolen batch were "123456," "password," "welcome," "ninja" and "abc123," said David Harley, senior research fellow at security firm ESET."
Ninja = great skill set, bad password. :-)
 
2 comment(s)
Diary Archives