Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
In a somewhat ironic hack, MySQL.com has been compromised as a result of an SQL injection attack, leading to usernames and password hashes being published online.
The exploited flaws did not lie within MySQL business database management software, but in the implementation of the Oracle-owned website.
The hackers posted a host of usernames and password hashes – some of which have reportedly been decrypted already – onto Pastebin.com.
Hackers Ne0h and TinKode claimed responsibility for the compromises. The latter said they were behind an SQL injection attack on the Royal Navy website last year.
A number of the employee passwords leaked by the MySQL.com hackers appeared to be fairly weak, according to Chester Wisniewski, senior security advisor at Sophos Canada.
“Most embarrassingly, the director of product management's WordPress password was set to a four digit number... his ATM PIN perhaps?” Wisniewski said in a blog.
“The irony is that they weren't compromised by means of their ridiculously simple passwords, but rather flaws in the implementation of their site.”
MySQL owner Sun Microsystems – now an Oracle subsidiary – was also targeted by the two hackers, as tables and emails were dumped on Pastebin, but no passwords.
“It was noted on Twitter that MySQL.com is also subject to an XSS (cross-site scripting) vulnerability that was reported in January 2011 and has not been remedied,” Wisniewski added.
This article originally appeared at itpro.co.uk
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.