Kaspersky denies data leak following SQL hack

Kaspersky denies data leak following SQL hack

Summary: The US website of the Russian antivirus vendor has been hacked and the company's customer database exposed, but Kaspersky denies data was compromised

SHARE:
TOPICS: Security
1

Russian antivirus vendor Kaspersky Labs's US website was hacked over the weekend, exposing the company's customer database, but Kaspersky has denied data was compromised and says the vulnerability wasn't critical.

An unidentified hacker reported over the weekend that he was able to access a complete profile of the company's databases, revealing its clients' names, activation codes, list of bugs the company tracks and client email addresses.

The hacker claimed to have hacked Kaspersky Labs's databases using an SQL injection attack, which exploits a vulnerability in an application's database layer.

The method has become a popular means to gain information via web-facing applications or as a way to use popular websites to spread malicious software.

Microsoft's UK website came under a similar attack in 2007 when hackers used an SQL injection to inject HTML code which seemingly defaced its web pages.

The Kaspersky hacker, who published their finding on the Hackersblog.org website, has since said that confidential data would not be released.

"[The] Kaspersky team doesn't need to worry about us spreading their confidential stuff. Our staff will never save or keep any confidential data. We just point our fingers to big websites with security problems," they reported.

Kaspersky Labs has admitted that a subsection of its usa.kaspersky.com domain was vulnerable last Saturday when a hacker "attempted an attack on the site".

"The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site," a spokesperson for the company said in a statement.

Topic: Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Actually...

    Actually recently (and I'm assuming this was it) customer data WAS in fact leaked. By using a "catch-all", I use a different e-mail address for each computer or website I sign up with. I do this for two reasons; if that particular company gets hacked and data is leaked (such as in this case) I only need to blackhole that one e-mail address. Another reason is that I'll know WHO got hack or WHO SOLD my e-mail address to the spammer. Kaspersky has now been added to that list. I am now getting SPAM e-mails sent to the e-mail alias I use with Kaspersky. It's ashame since Kaspersky is such a great company and provides such great products!

    Hopefully it won't happen again... I'm going to change the e-mail address I have on file with them to something like Kaspersky2@subdomain.domain.com (I'm not revealing my true subdomain/domain) and I'll blackhole the current one (Kaspersky@subdomain.domain.com) as to stop the spam.

    Oh, another big company comes to mind... I signed up for My Coke Rewards (using e-mail alias MyCokeRewards@subdomain.domain.com) and now I'm getting spam sent to that e-mail alias. Good job, Coca Cola! I hope it was an unintentional data leak and not you guys selling my e-mail!!!

    Andrew Bucklin
    True Value Web Design
    Lynchburg, Virginia, USA
    AndrewBucklin