Yahoo's latest SQL Injection incident

A time-based blind SQL injection web vulnerability was detected in the official Yahoo Marketing Application Service. This vulnerability allowed remote attackers to inject their own SQL commands to breach the database and obtain access to user data. This was discovered by an Egyptian information security researcher. The vulnerability was located in one of the main PHP modules. http://alrt.co/18c5ECh

Takeaway: This vulnerability was discovered by a White Hat hacker, who alerted Yahoo and also provided them with steps to mitigate them. Typically, such vulnerabilities are well exploited for weeks or months before the application owner is alerted to them. A lot of publicly facing software companies, including Google, Microsoft & Facebook, offer Bug Bounty programs, where hackers are awarded large sums of money for identifying and turning in such exploits.