Yahoo and the Rise of SQL Injections

On July 11, a hacker group known as “D33Ds Company” used an sql injection attack to penetrate Yahoo’s database and compromise about 450,000 user records, which were later posted in an online password dump.[1] Now at least one user has filed a lawsuit against Yahoo for not protecting his information.[2] This attack appears to be part of a larger trend of rising SQL injection attacks.

A recent report from Firehost indicates the sql injection attacks have been on the rise during the second quarter of 2012 with most originating in the United States. While Yahoo, Sony, LinkedIn, eHarmony, Last.fm, Yahoo, Android Forums, Billabong, Formspring, Nvidia, and Gamigo, and other companies have suffered high profile attacks, these attacks apear to be across the board. “Some of the data theft incidents that are reported in the media are precisely targeted, but a more substantial risk to most comes from an abundance of automated, malicious bots that attack websites in a more random fashion,” said Todd Gleason, Director of Technology at FireHost. “Businesses should take readily available and basic steps to block any kind of unwanted traffic from accessing their sites. Mitigating Denial of Service attacks and ensuring web applications are secure can go a long way toward fighting off these random attacks.”[3]

What is an SQL Injection Attack?
An SQL injecton is a way to penetrate databases through websites by using parts of an sql command on a page to load a rogue SQL command to the database, this in turn formed rogue SQL command to the database formed rogue SQL command to the database alters database content or dumps the content (like passwords, social security numbers, account information) to the attacker.[4]

Last September, Imperva released an in-depth white paper on the rise of SQL Injection attacks. Here are the highlights from their findings:

• Web applications average about 71 SQLi attempts an hour and soem applications have been attacked as often as 800-1300 times per hour.
• Hackers have been able to avoid simple signature-based defenses by using new SQLi attack variants.
• Hacking tools are continually evolving, easy to access, and don’t require special hacking skills.
• Attacks focus on compromised machines serve as zombie networks. Users are often unaware their computers are compromised.
• About 41% of all SQLi attacks originated from just 10 hosts.[5]

Tomorrow I’ll consider how companies can be better prepared to defend against sql injections.

[1] Sean Michael Kerner. “Yahoo Hit By SQL Injection Attack.” Internet News, July 13, 2012
[2] Christopher Brock. “Yahoo Sued By User Following Breach of 450,000 Passwords.” Threat Post, August 3, 2012
[3] Firehost Press Release. “Q2 2012 FireHost Web Application Attack Report Shows Sharp Rise In SQL Injections.” July 24, 2012,
[4] SQL injection from Wikipedia.
[5] “Hacker Intelligence Initiative, Monthly Trend Report #4.” Imperva, September 2011