Nokia admits developer details leaked in hack

The phone maker has revised its estimate of how many developers had their details exposed in a SQL injection attack on its forum, saying the number is 'significantly larger' than first thought

A hacker accessed personal details of Nokia developers in an attack on the Nokia Developer site last week, the phone manufacturer has admitted.

The intrusion resulted in the apparent attacker, 'pr0tect0r AKA mrNRG', redirecting visitors to the Nokia Developer Community forum to a page berating Nokia for its server security. On Monday, Nokia told forum members that it had originally believed "only a small number" of their records had been accessed, but it had since revised that analysis.

"Further investigation has identified that the number is significantly larger," Nokia said in an email sent to developers, apologising and explaining that a SQL injection attack had exploited a vulnerability in the bulletin board software. The same statement was also put on a page that is still, at the time of writing, standing in for the Nokia Developer Community site.

The company said it had addressed the initial vulnerability, but has taken the developer community website offline as a "precautionary measure, while we conduct further investigations and security assessments".

"We hope to get the site back online as soon as possible and will post developments here in the meantime," Nokia said.

According to Nokia, the database table records accessed in the attack mostly consist of email addresses, leading the company to believe that "the only potential impact to [members] may be unsolicited email".

LOL, Worlds number 1 mobile company but not spending a dime for a server security!

– Hackers' message

However, almost seven percent of forum members also included birthdates, homepage URLs or instant messaging usernames in their public profiles, and this data may also have been accessed, Nokia said.

"[The exposed records] do not contain sensitive information such as passwords or credit card details and so we do not believe the security of forum members' accounts is at risk," Nokia said, adding that "other Nokia accounts are not affected" and the company remained unaware of any misuse of the accessed data.

The page to which Nokia developers were briefly redirected showed a picture of Homer Simpson, along with the words: "LOL, Worlds number 1 mobile company but not spending a dime for a server security! FFS patch your security holes otherwise you will be just another antisec victim. No Dumping, No Leaking!!"

The mention of "antisec" is a reference to the campaign being waged by hacker groups Anonymous and LulzSec, partly to attack those with whom they disagree politically, and partly to expose and poke fun at poor security practices.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.