MySQL.com, home of the popular database software used to power much of the web, was hacked by a SQL injection attack over the weekend. The hackers were able to use the exploit to extract usernames and password hashes from the site. Shortly after extracting the information they posted it on pastebin.com.
Hackers TinKode and Ne0h of Slacker.Ro out of Romania claimed resposibililty for the hack when they posted it on pastebin.com. But a hacker by the name of Jackh4xor posted the same information on the Full Disclosure mailing list before TinKode or Ne0h posted it online. A similar attack to the one at MySQL was also attempted on Oracle's website, MySQLs parent company. No login credentials were able to be extracted during the hack on Oracle's website.
After extracting the information from MySQL the hackers were able to decypher simple dictionary passwords with rainbow tables. It was found, according to The Register, that the director of product management for WordPress at MySQL had a simple four digit password for his account on the site.
MySQL should have been ready for this type of attack. TinKode and Ne0h claimed in a blog post that they had discovered and posted the vulnerability in multiple places including XSSed.com and the Insecurity.ro message boards back in January.
16 Comments - Add comment