While you may not have been surprised that a pornography site like YouPorn stored its data in cleartext, you’d probably expect more from a company like Yahoo!. Apparently that trust would be misguided, as TrustedSec is reporting that over 400,000 Yahoo! Voice accounts have been compromised in a recent attack; the exact number is currently 453,492.
There are few details at this point, but according to the data the attackers dumped, the attack was carried out via a SQL injection attack. This means that the website was not doing proper input validation, allowing the attackers to put their own SQL commands into a text field on the website, and that code was then passed on directly to the database. This type of attack has been on the decline over the past five years but is still a dangerous threat. In addition to the SQL injection vulnerability, the database was also storing the passwords in cleartext.
The list of usernames and passwords have already been posted to the Internet, although the website is extremely slow due to heavy loads. You may want to check whether you were impacted by the attack or not.
The attackers call themselves “D33Ds Company” and Yahoo! has not made an official statement about the breach. In typical “hactavist” fashion, the group claims they’re doing it to help people out and even include a quote from Jean Vanier, stating, “Growth begins when we accept our own weakness.”
Is this more proof that we are passed the age of passwords and need to rely on more secure methods?