In the past 30 days, passwords have been stolen from LinkedIn (6.5 million passwords), Formspring (420,000 passwords) and eHarmony (1.5 million passwords). Yahoo is the latest victim. Two days ago, a hacker group that goes by the name of D33DS stole almost 445,000 passwords from Yahoo. The seven hackers were able to get the passwords by using a well-known threat to online databases called SQL Injection.
Behind many websites are databases. As a typical Internet user, we are not supposed to have direct access to a company’s back-end database. By entering certain commands into the search field of a poorly secured website, hackers can access databases located on the server that’s hosting the site…SQL Injection. In this case, hackers were able to uncover a list of Yahoo usernames and passwords.
Nobody is perfect, but a company as large as Yahoo should have known better. Yahoo made two rookie mistakes.
- The site should have been secured against SQL Injection attacks. A SQL Injection attack is one of the first things hackers try.
- The passwords were stored in the database as plain text. For example, let’s say your Yahoo password is password123. Yahoo should not store that password as password123. The password should be scrambledencrypted so it may read something like PH*&YTF$#FF. Even if a hacker gains access to your password, he would not be able to easily read it. He could use a password cracking program to crack your password. However, if it takes too long to crack, he may give up and go after an easier target.
So what can you do? We don’t have much control over Yahoo’s security practices. On your end, you can make sure that you always use strong passwords and never ever use the SAME password at multiple sites. Yahoo said that they will contact every customer that had an account involved in the breach. I would not wait for Yahoo to contact me. I would go ahead and change my password now.
John L. Jones