More than 450,000 usernames and passwords for a Yahoo service were posted online after a hacking group apparently accessed Yahoo servers using SQL injection.
All the passwords were stored in plaintext in the SQL database. SQL injection works by entering database commands into text fields on customer facing web pages. In poorly secured sites, these commands can pull information out of the SQL servers which hold customer information.
TrustedSec information security blog reports that breached servers were running the Yahoo Voice service, a blog-like service run by Yahoo. It based this on the hostname for the hacked service, which was visible in the SQL table.
In a statement following the dump, the hackers claimed to be members of a group called D33Ds Company.
"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," the group wrote.
"There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."
The group claimed to have used a technique called union SQL injection. The union SQL statement selects information from more than one SQL table. This allows hackers to call on linked databases and search them for administrator login credentials, as explained in the Hakipedia wiki.
Yahoo had not responded to Information Age’s request for comment as this story went to press.