[vectorEQ]

:s i can't even get my mysql to get me to be allowed to login root without password >.< that takes a special kind of negligence.... and really, how long was it there before they developed a new product and tested it on themselves? :/ seems logical, especially for a security service provider that with the lack of such product still this would be noticed?

that besides pitching their own product for an issue any similar natured scan would pick up i'd say it smells like marketing department at work more than chinese hackers or shitty service provider.... >.>

i doubt they would have left a passwordless root on their mysql, or didnt they check the initial setup they were given by the provider before taking it in use?

[barkingcat]

If you read the story you would see that the database host is a shared host (as in hundreds of other clients of the Webhost have accounts on it) and that the error is likely the result of a persistent hack. As in there is a vulnerability where someone can get access to the server and create a passwordless root account, so that they can siphon the data out.

Once that account is deleted, a new passwordless root account is created by the attacker in order to continue access.