Hackers Steal 453,000 Passwords From Yahoo! Voice

Posted Jul 12, 2012

Hackers have posted the login credentials of over 453,000 user accounts that they have received from Yahoo! Voice. The hack was posted on a public website by a hacker group known as D33Ds Company. They were able to penetrate Yahoo! Voice using a union-based SQL injection.

The hacking technique used goes after poorly secured web applications that do not properly scrutinize the text entered into search boxes and user input fields. The hackers injected powerful database commands into them and tricked the back-end servers into dumping sensitive information. The hackers posted the plaintext credentials for 453,492 Yahoo! accounts, more than 2,700 database table or column names, and 298 MySQL variables.

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” said a brief note at the end of the dump. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”