Over the weekend, “TinKode and “NeOh,” two Romanian hackers, hit www.reman.sun.com and www.ibb.sun.com. They grabbed table names, column names and email addresses from one of the tables. So far, it’s unclear whether the hackers also possess a list of usernames and passwords from the Sun.com site. They did obtain this information from MySQL.com, and posted it online.
According to Chester Wisniewski, a Sophos senior security advisor, the way the open source software was coded led to the vulnerability. “Auditing your Websites for SQL injection is an essential practice, as well as using secure passwords," he wrote on the Naked Security blog.
Specifically, both the MySQL.com and Sun.com sites have cross-site-scripting vulnerabilities, some of which came to light as recently as January. The particular attack used by the hackers allowed them to get at little bits of information at a time and put the information together. This is why hiding SQL errors from an attacker is not good enough if you’re trying to secure your website.