Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Yahoo service SQL injection vuln leads to account exposure - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Yahoo service SQL injection vuln leads to account exposure

We're a bit slow on the uptake given SANSFIRE, but as you are likely well aware, a SQL injection vulnerability was leveraged to gain access to the Yahoo Voice service which was utilized by attackers to acquire then post login credentials for more than 453,000 user accounts that they said they retrieved in plaintext.

You can download and review the account list for account that may impact you or your organizations here: http://74.208.161.170:81/yahoo-disclosure.tar.gz
 
Related stories:
 
Password analysis of the account list proved what we've all come to expect. "The top five passwords in the stolen batch were "123456," "password," "welcome," "ninja" and "abc123," said David Harley, senior research fellow at security firm ESET."
Ninja = great skill set, bad password. :-)
 
Russ McRee

179 Posts
ISC Handler
So at this point is anyone advising people to change passwords on their Yahoo accounts?
Anonymous
Mike, I tend to operate on the premise that a password change under these circumstances goes without saying, but as per advising to do so, without a doubt users should.
Russ McRee

179 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!