MySQL Website Hit By SQL Injection Attack

Hackers have assaulted the MySQL website with a blind SQL injection attack and have stolen usernames and password hashes.

According to the Sophos Naked Security blog, the attack was discovered after the attackers posted their exploit on the Full Disclosure mailing list.

The perpetrators then dumped the stolen usernames and password hashes on the pastebin.com website for everyone to see. Apart from MySQL.com, the hackers also attacked the MySQL website in Germany, Italy, France and Japan.

“It does not appear to be a vulnerability in the MySQL software, but rather flaws in the implementation of their websites,” Sophos researcher Chester Wisniewski commented.

“Auditing your websites for SQL injection is an essential practice, as well as using secure passwords,” he said.

Sophos also said that the passwords disclosed by the hackers indicated a low level of sophistication when it comes to setting passwords. For example, Robin Schumacher, MySQL's Director of Product Management had a four letter password for his WordPress account.

“Several accounts had passwords like 'qa'. The irony is that they weren't compromised by means of their ridiculously simple passwords, but rather flaws in the implementation of their site,” the company noted.

The attackers also targeted two Sun.com websites, which deal with sales of remanufactured systems, with the SQL injection attacks.