A Yahoo! service has apparently succumbed to a simple database attack that leaked 453,000 unencrypted account passwords online. A huge document containing the lifted SQL structures, software variables, usernames and cleartext passwords was linked to from a web forum. In the file, the hackers described the break-in as “a wake-up call and not a threat”. The data dump included the hostname dbb1.ac.bf1.yahoo.com, which is associated with the blog-like service Yahoo! Voices, TrustedSec reports - although there was some confusion over whether the hacked service was in fact the internet telephone call app Yahoo! Voice.
The compromise was all too typical: a union-based SQL injection attack that tricked the website into handing over more information that it really should, Ars Technica reports. A hacking crew called the D33Ds Company claimed responsibility for the assault. Security firm Eset has carried out a preliminary statistical analysis of the leaked credentials here. A disappointing – but not surprising – number of the exposed passwords included, er, “password”, “welcome”, “Jesus” and “ninja”. It’s unclear why Yahoo! Voices was storing unencrypted passwords in its backend database – unsalted one-way encrypted hashes would have been bad enough.