MySQL.com, was hacked by a SQL injection attack over the weekend. The hackers were able to use the exploit to extract usernames and password hashes from the site.
Hackers extracted usernames and password hashes from the site, which were subsequently posted to pastebin.com. Any easy to guess login credentials could be easily extracted from this data using rainbow tables to match dictionary passwords to their hash values.
After extracting the information from MySQL the hackers were able to decypher simple dictionary passwords with rainbow tables. It was found, that the director of product management for WordPress at MySQL had a simple four digit password for his account on the site.
Hackers TinKode and Ne0h of Slacker.Ro out of Romania claimed resposibililty for the hack when they posted it on pastebin.com. But a hacker by the name of Jackh4xor posted the same information on the Full Disclosure mailing list before TinKode or Ne0h posted it online.
A similar attack to the one at MySQL was also attempted on Oracle’s website, MySQLs parent company. No login credentials were able to be extracted during the hack on Oracle’s website.
MySQL should have been ready for this type of attack. TinKode and Ne0h claimed in a blog post that they had discovered and posted the vulnerability in multiple places including XSSed.com and the Insecurity.ro message boards back in January.