Hacking collective D33Ds Company has posted login details for more than 453,000 user accounts that it claims to have retrieved in plaintext from an unconfirmed service on Yahoo.
Ars Technica is reporting that the hackers used a union-based SQL injection to penetrate a Yahoo subdomain—a technique which, according to Ars, “preys on poorly secured web applications that don’t properly scrutinize text entered into search boxes and other user input fields”. That process can be used to trick servers into releasing large quantities of sensitive information.
The user credentials have been posted in public, throwing details for 453,492 Yahoo accounts into the wild. If you want to see it for yourself, it’s not hard to find. In a note which accompanied the data dump, D33Ds Company explained:
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”
Since, the TrustedSec blog has reported that the data comes from Yahoo Voice, also known as Associated Content, identified from the the string “dbb1.ac.bf1.yahoo.com” contained in the data. Currently that’s unconfirmed by Yahoo, though, so it may pay to change any Yahoo password you’re in possession of. [Ars Technica]