MySQL.com Database Compromised By Blind SQL Injection

An email was sent out earlier today on the Full-Disclosure mailing list, detailing the compromise of numerous MySQL websites along with portions of their database containing usernames and passwords.

MySQL offers database software and services for businesses at an enterprise level as well as services for online retailers, web forums and even governments. The vulnerability for the attack, completed using blind SQL injection and targeted servers including MySQL.com, MySQL.fr, MySQL.de and MySQL.it, was initially found by “TinKode” and “Ne0h” of Slacker.Ro (according to their pastebin.com/BayvYdcP dump of the stolen credentials) but published by “Jackh4x0r”.

The stolen database contain both member and employee email addresses and credentials, as well as tables with customer and partner information and internal network details. Hashes from the database have been posted, with some having been already cracked.

Source: youtube.com

A submission to XSSed.com also details an XSS (Cross Site Scripting) vulnerability affecting MySQL.com that may have provided a secondary entry point for compromising visitors or employees with the organization since early January of 2011.

This is definitely a shame for the folks behind MySQL since they were bought by Sun and later on by Oracle (through the Sun acquisition). MySQL is used by millions of users for small and medium sized databases, including by the popular blogging software WordPress.

The email sent to Full Disclosure lists out all the databases, tables and even some password hashes for the users at MySQL.com. There has been no response from MySQL on this issue yet. We have contacted them for a comment and will update this post once more information becomes available.