In early July, as part of a heist some described as “ridiculously easy,” Internet bad guys stole user names and passwords for over 450,000 email accounts from a Yahoo website. A smaller number of Gmail, MSN, Hotmail, Comcast and AOL accounts were also included in the theft. The crooks then posted the entire database to their own website, for anyone in the world to copy, use and exploit.
To literally add insult to injury, the hackers, known as “D33ds Company,” took Yahoo to task for their lack of proper security by also posting a pointed reproof. “We hope that [Yahoo]… will take this as a wake-up call, and not as a threat,” they said. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
The bad guys did their dirty deed using what’s known as a SQL injection attack. This type of attack works by typing powerful database commands into search boxes associated with certain types of poorly-secured databases. Imagine that you went to the signin page for your email and, instead of entering your password, you entered database commands. You press “enter” and suddenly, rather than being logged into your email, you are logged into the database itself, with the ability to control, copy and steal all of its information.
SQL injection attacks have been around for many years, and all conscientious websites put protections against them in place long ago. Not only was the database in question poorly secured, but, if the bad guy’s warning is to be believed, Yahoo has many, more serious security problems that have yet to be disclosed. Viewing the current status of security across the Internet, as implemented by most companies that have websites, I would say that the bad guy’s warning should be believed.
Yahoo eventually issued an apology of sorts, stating in part, “We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.”
No more impressed by Yahoo’s tepid apology than their online safety tips, Jeff Allan of San Jose, CA, filed a class-action lawsuit, maintaining Yahoo should compensate him and other victims for Yahoo’s lack of security over such an important database. In addition to thieves stealing his Yahoo password, Allan’s information on the hacked Yahoo Contributor Network site included sensitive details such as his date of birth, mailing address, phone number and, for some mind-boggling reason, his Social Security number. Allen’s eBay account was hacked as a result of the incident, prompting him to hire a credit monitoring service.
“The SQL injection technique used against Yahoo has been known for over a decade and had already been used for massive data thefts against Heartland Payment Systems and others,” the lawsuit alleges. “As far back as 2003, the Federal Trade Commission considered SQL injection attacks to be well-known and foreseeable events that can and should be taken into account through routine security measures.”
The sad part about it all is that Mr. Allen’s statements are true. SQL injection attacks are old hat. Yahoo should be shocked and embarrassed beyond belief that they allowed such awful security to cause such harm to so many. I hope Mr. Allen’s lawsuit succeeds, because it seems that too many giant companies refuse to do the right thing until they feel the pain. More people need to file more lawsuits like this, or things may never turn around for the better.
Was your account part of the Yahoo theft? Visit labs.sucuri.net/?yahooleak to find out. Then, you might just want to change your password, anyway.