Yahoo service SQL injection vuln leads to account exposure

Published: 2012-07-13. Last Updated: 2012-07-13 18:23:40 UTC
by Russ McRee (Version: 1)
2 comment(s)

We're a bit slow on the uptake given SANSFIRE, but as you are likely well aware, a SQL injection vulnerability was leveraged to gain access to the Yahoo Voice service which was utilized by attackers to acquire then post login credentials for more than 453,000 user accounts that they said they retrieved in plaintext.

You can download and review the account list for account that may impact you or your organizations here: http://74.208.161.170:81/yahoo-disclosure.tar.gz
 
Related stories:
 
Password analysis of the account list proved what we've all come to expect. "The top five passwords in the stolen batch were "123456," "password," "welcome," "ninja" and "abc123," said David Harley, senior research fellow at security firm ESET."
Ninja = great skill set, bad password. :-)
 
2 comment(s)

Comments

So at this point is anyone advising people to change passwords on their Yahoo accounts?
Mike, I tend to operate on the premise that a password change under these circumstances goes without saying, but as per advising to do so, without a doubt users should.

Diary Archives