In what is probably the most shocking instance of cyber heists in recent times, hackers have published a list of 450,000 Yahoo usernames and passwords. The shock comes from not the breach, which is all too common now-a-days, but from the fact that a behemoth such as Yahoo neglected to encrypt the username and password database, a basic precaution that would have prevented the breach and protected user data. Yahoo stored the data in plain text, which was akin to leaving the safe unlocked.
The breach occurred in the Yahoo Contributor Network database populated by freelance journalists associated with Yahoo Voices. This database was buit up on Yahoo’s 2010 acquisition of Associated Content, and as such freelance writers who earlier had accounts with Associated Content would also have suffered the expose. This plus the fact that Yahoo voices allowed users to log in using Google, Hotmail, AOL, Comcast or Verizon credentials mean that the damage extends much beyond Yahoo-scape.
In the meantime, a hacker group styling itself as “D33Ds Company” claim credit for the attack and states its motive as wanting to issue a warning or wake up call. It claims to have used SQL injection, a basic and time tested method deployed by hackers to access the database.
Yahoo, while not surprisingly remaining tight-lipped even after admitting the breach, is working on fixing the vulnerability, changing passwords of affected users and notifying other accounts that suffered collateral damage. This however is no atonement for the disservice that Yahoo did to its users by failing to deploy even the most basic of security. If not encrypting the user details was not bad enough, the hackers claimed to use SQL injection to make the breach. SQL injection is the most common and basic method adopted to hack databases and only poorly designed websites that allow sending commands through a search field or URL remain vulnerable to such attacks.