Sadly, SQL injection attacks never go out of style – or effectiveness
“Kapustkiy,” a self-described teenager who has been using SQL injection attacks on a number of government sites, today dumped some data from the National Assembly of Ecuador. There were 655 email addresses and passwords in his public paste, although the list contained some duplicates.
As he has done in the past, and as he informed this site in a private communication, he had previously tried to notify the target of the vulnerability.
Inspection of the data revealed that approximately half of the email addresses were Hotmail accounts and almost 15o were Gmail accounts. The passwords were MD5 and easily cracked. Embarrassingly, the second and third individuals both used passwords of “1234.”
This is just one of a number of such hacks and dumps Kapustkiy has released in the past few weeks. As he’d be the first to acknowledge, none of these are earth-shattering breaches. But they do make a point: how is it that in 2016, so many government sites are still so poorly secured that they fall prey to SQL injection attacks and that they’re using MD5 for passwords? This really doesn’t inspire confidence in a government’s ability to secure important information, does it?
CORRECTION: A previous version incorrectly described Kapustkiy as Japanese. He informs this site that he is not.