Kaspersky denies leaks after SQL hack

Russian antivirus vendor Kaspersky Labs's US website was hacked over the weekend, exposing the company's customer database, but Kaspersky has denied data was compromised and says the vulnerability wasn't critical.

An unidentified hacker reported over the weekend that he was able to access a complete profile of the company's databases, revealing its clients' names, activation codes, list of bugs the company tracks and client email addresses.

The hacker claimed to have hacked Kaspersky Labs's databases using an SQL injection attack, which exploits a vulnerability in an application's database layer.

The method has become a popular means to gain information via web-facing applications or as a way to use popular websites to spread malicious software.

Microsoft's UK website came under a similar attack in 2007 when hackers used an SQL injection to inject HTML code which seemingly defaced its web pages.

The Kaspersky hacker, who published their finding on the Hackersblog.org website, has since said that confidential data would not be released.

"[The] Kaspersky team doesn't need to worry about us spreading their confidential stuff. Our staff will never save or keep any confidential data. We just point our fingers to big websites with security problems," they reported.

Kaspersky Labs has admitted that a subsection of its usa.kaspersky.com domain was vulnerable last Saturday when a hacker "attempted an attack on the site".

"The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site," a spokesperson for the company said in a statement.

This article was originally posted on ZDNet Australia.