MySQL hit by irony attack
MySQL.com gets hit by an SQL injection attack, and hackers leak some disconcertingly weak passwords onto the net.
In a somewhat ironic hack, MySQL.com has been compromised as a result of an SQL injection attack, leading to usernames and password hashes being published online.
The exploited flaws did not lie within MySQL business database management software, but in the implementation of the Oracle-owned website.
The hackers posted a host of usernames and password hashes some of which have reportedly been decrypted already onto Pastebin.com.
Hackers Ne0h and TinKode claimed responsibility for the compromises. The latter said they were behind an SQL injection attack on the Royal Navy website last year.
A number of the employee passwords leaked by the MySQL.com hackers appeared to be fairly weak, according to Chester Wisniewski, senior security advisor at Sophos Canada.
"Most embarrassingly, the director of product management's WordPress password was set to a four digit number... his ATM PIN perhaps?" Wisniewski said in a blog.
"The irony is that they weren't compromised by means of their ridiculously simple passwords, but rather flaws in the implementation of their site."
MySQL owner Sun Microsystems now an Oracle subsidiary was also targeted by the two hackers, as tables and emails were dumped on Pastebin, but no passwords.
"It was noted on Twitter that MySQL.com is also subject to an XSS (cross-site scripting) vulnerability that was reported in January 2011 and has not been remedied," Wisniewski added.
-
TD Synnex launches dedicated Microsoft alliance growth teamNews Distributor is expanding support for high-growth partners through additional sales, technical, and business development resources
-
Pentagon taps Dell for $9.7bn Microsoft licensing dealNews US government wants to consolidate its defense IT budgets to save half a billion a year
-
Enterprises are slacking on MySQL database security, and it could come back to haunt themNews Poor database security practices are leaving organizations at huge risk of compromise
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
The NCSC says it’s time to switch to passkeysNews UK security organization calls for companies to step up and offer more secure ways to login
-
AI agents are creating new identity security risks: 1Password wants to solve thatNews The Unified Access system from 1Password will help enterprises manage AI agent access across different devices and users
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
Gen Z has a cyber hygiene problemNews A new survey shows Gen Z is far less concerned about cybersecurity than older generations
