A season ticket sales representative for the New York Yankees accidentally emailed a spreadsheet to “several hundred” affiliates with the personally identifiable information of over 21,000 Yankees ticket holders.
According to the Yankees, the spreadsheet contained customers’ names, addresses, phone numbers, fax numbers, email addresses and other information like their seat numbers and which ticket packages they purchased.
Later this afternoon DSLReports.com disclosed that they had been the victims of a SQL injection attack that succeeded in stealing usernames and passwords. Justin, the owner of DSLReports, wrote in a forum message that a “sql injection attack by a botnet on Wednesday afternoon obtained a large number of email / password pairs.”
Strangely, Justin stated that he had notified account holders who either created their accounts in the last 12 months, or had logged in over the last 12 months. This seems like a terrible practice. Many users have had accounts for more than 10 years and may not even remember having created one.
To not notify everyone who may have been affected seems to be a lapse in judgement, but it gets worse. All of the passwords in DSLReports’ database were in clear text. No hashing, no salting, totally unencrypted.
Once again we find that if we re-use passwords for seemingly unimportant websites, we may be putting our reputations at risk. You can count on the attackers trying to use these email addresses and passwords on as many popular sites as possible.
They may only use them to spread forum spam, but do you really want your name/profile/identity associated with this kind of activity?
Infosec India 
This is crazy…can’t believe Yankees can do such a big goof up!!