MySQL sites hacked with SQL injection

 

Gallery

By Nicole Kobie

Posted on 28 Mar 2011 at 11:48

MySQL's websites have been hacked, ironically by attackers using an SQL injection.

The attack targeted MySQL.com, as well as French, German, Italian and Japanese versions of the site. The attackers managed to gather up employee email addresses and passwords, as well as customer details.

Chester Wisniewski, security advisor for Sophos, said the flaw wasn't in MySQL itself. "It does not appear to be a vulnerability in the MySQL software, but rather flaws in the implementation of its websites," he said on the Sophos blog.

The leaked data didn't reflect well on the site's security. "Most embarrassingly, the director of product management's WordPress password was set to a four digit number... his ATM PIN perhaps? Several accounts had passwords like 'qa'," he said. "The irony is that it wasn't compromised by means of its ridiculously simple passwords, but rather flaws in the implementation of its site."

Wisniewski said the attack also targeted MySQL's parent companies, Sun Microsystems and latterly Oracle, which acquired Sun for $7 billion last year. "Both tables and emails were dumped from their databases, but no passwords," he said.

Oracle has yet to get back to us with a comment.