Big names are getting hacked big time – from Linkedin to Global Payments, Inc. (one of the largest credit card processor companies). Just a few days ago, Yahoo joined the ranks. Via Yahoo’s Customer Care Twitter, I found a statement that confirmed “an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords were compromised yesterday, July 11.”
A hacker group by the name of the D33Ds Company has published a list of the information they stole, which includes email addresses from Gmail.com, Hotmail.com, AOL.com and Yahoo.com. They hacked into the database via SQL injection, exploiting a software vulnerability.
What’s worse, or at least way more sad, is that an analysis of the passwords found that people are really quite terrible when it comes to password innovation. “123456” was used by almost 2,000 people, with “password” coming in second for over 2,000 users. It almost defies the very act of the malicious web server attack to have such easily guessable passwords in place, but I suppose those hackers were out to prove a specific point.
Anyway, here’s your lesson – use web application firewalls (WAF) to significantly increase your database security. Imperva has a great, easy-to-understand video that explains what it does, how it does it, and why it’s more useful than other tools, or at least why it works differently to detect and block SQL injections.
While anyone concerned with security should have this tool in place, it’s important to note it’s actually required in order to meet PCI DSS compliance standards (Payment Card Industry Data Security Standards that apply to credit cardholder environments in order to protect sensitive account information from hackers and misuse). Of the 12 requirements, it is requirement 6.6 that mandates using WAF as a method to address new threats and vulnerabilities on an ongoing basis by placing it in front of public-facing web apps to detect and prevent attacks. The other method they suggest is manual or automated annual code review.
Although the Yahoo incident was not a PCI-related breach, the technology used to achieve PCI compliance offers extra protection against hackers and malicious attacks against your web applications or databases. Find out more about PCI compliant hosting by reading our PCI compliant white paper.