Something doesn't look quite right about this Yahoo hack. Yahoo doesn't store MySQL passwords in PHP source code like that. Maybe he pulled these out of something else and wrote that file himself as an odd way to show he got the passwords?

Also, the apparent SQL injection is on a yahoo.net domain which Yahoo uses for untrusted third-party stuff mostly. The fact that the error seems to be from ASP is further evidence that this is very likely some third-party hosted app that doesn't actually have much to do with Yahoo and likely poses no danger to Yahoo users beyond the ones using this particular third-party service, whatever it is.

I'm pretty sure the code shown is the "hacker"'s code, for demo's sake. That said, the server address redacted out doesn't appear to be a Yahoo domain from what I can see. That tells me that it's a third-party that was broken into.

Something doesn't add up here, or at least there's pieces missing:

1) Source code show (presumably the attacker's?) shows MySQL usernames/passwords (as implied by variable names)

2) SQL injection attack screen shows errors in System.Data.SqlClient namespace - this is SQL Server: http://msdn.microsoft.com/en-us/library/system.data.sqlclien...

Might mean nothing. Article says the attacker had access to 12 databases, so maybe it's a mix of different platforms. Still, the 2 screenshots really don't corroborate one another.

See also http://blog.forwardbias.in/2012/12/my-xsrf-exploit-of-build-...

This is not the first time i have heard of people having full access to yahoo servers for a substantial amount of time.

It's reassuring that every company keeps (.*) very seriously.