14 DAY TRIAL // A lot of security researchers have turned their attention to the data breach that affected Yahoo!, especially after the company confirmed the incident. Janne Ahlberg is one of those experts and his findings are certainly noteworthy.
One of the first things he noticed was the “timestamp” present in the massive data leak. The MySQL variable’s value – showing the time at which the query was made – translates into June 24, 2012. This indicates that the hackers may have had access to the database for quite some time before making the information public.
However, that’s not all. The researcher has found some even more interesting details.
“Yahoo said in their statement that hackers got ‘an older file’ - this could mean one of the tables in the dump: 'ac_www =>> fix_ac_user :::: clear_passwd', 'ac_www =>> fix_ac_user :::: aes_passwd' vs. 'ac_www =>> ac_user :::: passwd',” Ahlberg explained in an email to Softpedia.
“My assumption is such that "fix_ac_user" is a temporary MySQL table created for converting the plain-text passwords to encrypted ones - which are most likely stored in "ac_user" database,” he added.
The expert believes that Associated Content may have stored the user passwords in clear-text, but when Yahoo migrated the system to Contributor Network, the company likely wanted to make certain improvements.
He continued, “If this assumption is correct, hackers dumped the 'fix_ac_user' table and published the clear-text passwords. But most likely they have all data from the database.”
“Let’s assume ‘fix_ac_user’ table contains the data from the time when Yahoo changed the password protection and that it was the one dumped. I would still say it is from this year, because many passwords and email addresses contain the string 2012.”
Unlike the owners of AndroidForum.com, who covered all possible aspects of the data breach that affected them - including blackmail and location tracking - Yahoo! doesn't seem to be very concerned. However, maybe they should be.
“Data seems to contain Paypal details (not password though), information about payments, personal details (address, DOB, phonenumber, email) etc. There could be quite severe risks to the affected users who might use same credentials in other services.
“I was surprised to see that Yahoo did not cover other possible risks in their statement. Why would the hackers breach only one database when they obviously had access to all?” he said.
Finally, he offers some interesting insight regarding the hacker group – D33Ds Company – and the tools they utilized.
“The dump format also caught my eye. It does not look familiar with all special characters like ‘[dbname] =>> [tblname] ::: [fieldname]’. Perhaps they have changed the format or implemented a SQL injection tool of their own. I might be wrong, but at least the hacker tools I know, do not display the dumps in this format,” Ahlberg revealed.
Regarding the hackers, he explained “some said they are a new group. I assume you know that this is not the case. They have interesting service offering and some published hacks. RankMyHack-case is the one I remembered when I saw the Yahoo news first time.”
The research performed by Imperva also highlights that the fix_ac_user table is most likely the source of the massive data leak.