Russian hackers steal over a billion passwords

[dacoolist]

MotherRussia's at it again.

[smackyslap]

Would love a list of websites affected

[inboundpaper]

Comrades, great news! Turnip harvest is going to be good. Much vodka to celebrate.

[Deleted]

Would love a list of websites affected

You'd love a list with over 400 thousand lines?

[Kuja]

You'd love a list with over 400 thousand lines?

Would love a list of popular websites affected. Ebay? Paypal? Mmo champ?

[Xarkan]

the ars technica article probably has as much info as is going to be detailed this far in. As for what was affected, it's most likely just websites. SQLI is just appending SQL commands to an input or querystring that gets interpreted by the script on the website. So if you have a crappy search form that gets shot into a SQL query without any kind of escaping or cleansing (ie. "SELECT * FROM `blahblah` WHERE whatever='&$_POST['searchinput']&';") It's incredibly easy for someone to just type into that search form "blah';DROP TABLE `blahblah`;" and it would execute the entire input, deleting the table 'blahblah' in the process.

It just boils down to poor protection measures and poor scripting. It's such an easy thing to avoid really, PHP has functions built in to cleanse and escape variables and the lot (mysqli_real_escape_string() or addslashes()) and using prepared statements (ie. bind_param()) and such for entries/updates does it all for you too.

Reminds me of a comic..

[smackyslap]

You'd love a list with over 400 thousand lines?

ctrl+f is pretty good man

[Deleted]

the ars technica article probably has as much info as is going to be detailed this far in.

Yeah I suspected it would boil down to not having prepared statements - it's funny too since you can just grab yourself SQLmap and use that to automate scanning your website but I guess if people still use sql instead of sqli and don't sanitize, it's not going to make much of a difference.

[Trassk]

I change my password with every website I use anyway.

[Conspicuous Cultist]

Fine Погода we're having today, yes?

Ugh... I катастрофически нужна водку.

[Deleted]

they probably confused the database with their alien language, just like in WoW

[Triggered Fridgekin]

Oh those Russians!

[Deleted]

Oh no not my email accounts that I rarely use.

err you use your email for virtually everything online

[Dispraise]

err you use your email for virtually everything online

No, I use Steve's email for virtually everything online. He's gon' be pissed.

[Mister Cheese]

Oh no. A billion passwords. It totally will take 5 seconds to go through all of them and steal everyone's information.

Really though it's like your PW was never stolen at all anyways. Your chances of them using this information to steal from you is incredibly low.

[Hottage]

I'm more disgusted that there are over a billion passwords either stored in plain text or in a format that allows for easy unobfusion.

Then again, if you're too lazy to properly escape your SQL statements, I guess you're also too lazy to bother salting/peppering the passwords before hashing them... or even hashing them in the first place.

My security analyst sense is convulsing.

[Wayne25uk]

First Ukraine now my bank account details,oh noes!!!!! Those dam dirty russians!!

[Nihilan]

Fear not filthy capitalists. I'm sure our comrades in Beautiful Mother Russia did not do this thing. There is no problem friend. No passvords stolens. Go back to sleeps.

[Annoying]

I'm getting a ton of password reset requests from... rift. Which I've never played.