

Following Adobe user forum breach, hacker claims he has access to Yahoo servers - webalert
http://thenextweb.com/insider/2012/12/16/following-adobe-user-forum-breach-hacker-claims-he-has-access-to-some-yahoo-servers/?fromcat=all

======
rll
Something doesn't look quite right about this Yahoo hack. Yahoo doesn't store
MySQL passwords in PHP source code like that. Maybe he pulled these out of
something else and wrote that file himself as an odd way to show he got the
passwords?

Also, the apparent SQL injection is on a yahoo.net domain which Yahoo uses for
untrusted third-party stuff mostly. The fact that the error seems to be from
ASP is further evidence that this is very likely some third-party hosted app
that doesn't actually have much to do with Yahoo and likely poses no danger to
Yahoo users beyond the ones using this particular third-party service,
whatever it is.

~~~
bdcravens
I'm pretty sure the code shown is the "hacker"'s code, for demo's sake. That
said, the server address redacted out doesn't appear to be a Yahoo domain from
what I can see. That tells me that it's a third-party that was broken into.

------
bdcravens
Something doesn't add up here, or at least there's pieces missing:

1) Source code show (presumably the attacker's?) shows MySQL
usernames/passwords (as implied by variable names)

2) SQL injection attack screen shows errors in System.Data.SqlClient namespace
- this is SQL Server: [http://msdn.microsoft.com/en-
us/library/system.data.sqlclien...](http://msdn.microsoft.com/en-
us/library/system.data.sqlclient.aspx)

Might mean nothing. Article says the attacker had access to 12 databases, so
maybe it's a mix of different platforms. Still, the 2 screenshots really don't
corroborate one another.

------
general_failure
See also [http://blog.forwardbias.in/2012/12/my-xsrf-exploit-of-
build-...](http://blog.forwardbias.in/2012/12/my-xsrf-exploit-of-build-
phonegap-com.html)

------
BigNuts
This is not the first time i have heard of people having full access to yahoo
servers for a substantial amount of time.

------
nwh
It's reassuring that every company keeps (.*) very seriously.

