On Wednesday night, a hacker group known as “D33Ds Company” publicly posted a password dump of 450,000 Yahoo users. According to D33Ds, the attack vector was a Union-based SQL Injection attack.
In a statement sent to eSecurity Planet from Yahoo, the company stressed that they take security very seriously and invest heavily in protective measures to ensure the security of its users and their data across all Yahoo products.
“We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised yesterday, July 11,” Yahoo admitted in the statement. “Of these, less than 5 percent of the Yahoo! accounts had valid passwords.”
Yahoo acquired Associated Content back in May of 2010 for $100 million. To its credit, Yahoo is taking immediate action to correct the situation that led the password breach.
“We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised,” Yahoo stated. “We apologize to all affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.”
Yahoo did not specifically identify how the SQL Injection vulnerability was introduced and why it was not fixed prior to the hacker disclosure. In a SQL Injection attack, an unauthorized statement is allowed to run against a database which then can lead to information disclosure. The general best practice for protection against SQL Injection is to be vigilant with data input sanitization for databases. While code-level best practices are important, there are also database technologies including the Oracle Database Firewall among others to help mitigate risks.