SQL Injection has long been identified as one of the top vulnerabilities affecting web applications. Even though SQL Injection attack vectors are well known, it’s an attack that keeps on yielding big name website results -– just ask Yahoo.
On Wednesday night, a hacker group known as “D33Ds Company” publicly posted a password dump of 450,000 Yahoo users. According to D33Ds, the attack vector was a Union-based SQL Injection attack.
In a statement sent to eSecurity Planet from Yahoo, the company stressed that they take security very seriously and invest heavily in protective measures to ensure the security of its users and their data across all Yahoo products.
“We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised yesterday, July 11,” Yahoo admitted in the statement. “Of these, less than 5 percent of the Yahoo! accounts had valid passwords.”
Yahoo acquired Associated Content back in May of 2010 for $100 million. To its credit, Yahoo is taking immediate action to correct the situation that led the password breach.
“We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised,” Yahoo stated. “We apologize to all affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.”
Yahoo did not specifically identify how the SQL Injection vulnerability was introduced and why it was not fixed prior to the hacker disclosure. In a SQL Injection attack, an unauthorized statement is allowed to run against a database which then can lead to information disclosure. The general best practice for protection against SQL Injection is to be vigilant with data input sanitization for databases. While code-level best practices are important, there are also database technologies including the Oracle Database Firewall among others to help mitigate risks.
“It is often the case that obvious database vulnerabilities — such as weak passwords and default configuration settings — are initially overlooked and never fully remediated,” Slavik Markovich, CTO of Database Security at McAfee, said in an email sent to eSecurity Planet. “An organization’s sensitive information can never be adequately secured if it lacks dedicated tools and processes to gain complete visibility into their databases’ security weaknesses and eliminate the opportunity for the bad guys to exploit them.”
The Yahoo password breach comes on the heels of similar attacks on LinkedIn and Last.fm last month. According to Rapid7 security researcher Marcus Carey, this trend indicates that organizations and users still aren’t taking security seriously enough. “We recommend people use password managers and passphrases containing a string of words: something memorable, but not particularly associated with you is generally best,” Carey said.
Tom Cross, director of security research at Lancope, expects to see more password breaches in the future. He also noted that compromised passwords are likely to be used to infiltrate corporate networks.
“Organizations that are only focused on looking for exploit activity at the network perimeter can’t see attacks after they’ve already gotten in the front door,” Cross said. “IT security teams also need visibility into authorized traffic on the internal network that enables them to detect and mitigate compromises after the walls have been breached.”