A Moscow-based security company admitted today to an almost 11 day exposure of a database containing customer information.
A single Romanian hacker, who identified himself only as Un, broke into a custom built, U.S.-based Kaspersky Lab support website on Saturday, exposing a server containing thousands of customer email addresses and up to 25,000 activation codes.
Unu said that he was able to break into a section of the company's brand-new U.S. support Web site by taking advantage of a flaw in the site's programming using SQL injection attack.
In a SQL injection attack, the hacker takes advantage of bugs in Web programs that query databases. The point is to find a way to run commands within the databases and access information that would normally be protected.
This is not a good for any company, especially a company that deals with security, Kaspersky's Roel Schouwenberg, a senior research engineer said. This should not have happened and now we're doing everything in our power to do forensics in this case and prevent it from ever happening again.
The attacker did not publish any sensitive data, even though he could have gained access to it, Kaspersky said in a press conference.
In a website posted on hackersblog.org, the hacker clearly explains that they don’t keep confidential data. Yes, that SQL injection in usa. kaspersky.com is very real. Still, Kaspersky team doesn't need to worry about us spreading their confidential stuff. Our staff will never save or keep any confidential data; we just point our fingers to big websites with security problems. We hope to see that vulnerability patched very soon (if it isn't already patched)
Kaspersky is one of the industry's best-known antivirus and security software makers.