SQL injection attacks up 69%

The number of SQL injection attacks has jumped by more than two thirds: from 277,770 in Q1 2012 to 469,983 in Q2 2012. This may be what hackers are using to steal all those e-mail addresses and passwords as of late.
Written by Emil Protalinski, Contributor on
Q2 2012: SQL injection attacks up 69%

SQL injection attacks are becoming significantly more popular amongst hackers, according to recent data. Between Q1 2012 and Q2 2012, there has been an estimated 69 percent increase of this attack type.

The latest numbers come from secure cloud hosting company FireHost, which blocks various types of attacks that are attempting to harm its clients' Web applications and databases hosted at the firm's U.S. and European data centres. The company has broken down its findings into four different attack types which it considers as being the most malicious and dangerous: Cross-site Scripting (XSS), Directory Traversals, SQL Injections, and Cross-site Request Forgery (CSRF).

Here's where the 69 percent number for SQL injection attacks comes in: Firehost has seen a rise from 277,770 blocked attacks in the first quarter to 469,983 in the second quarter. The company also note this attack type is frequently cited as an attack vector of choice for data thieves.

For the uninitiated, SQL injection involves the entering of malicious commands into URLs and text fields on vulnerable websites. The goal is to steal the contents of databases and then use that information for further crime.

SQL injection attacks have been associated with many high profile data breaches, such as when LulzSec hacked Sony in 2011. The data is from this year, however, so what gives? Well, the method is also often used by hackers to steal user account credentials such as e-mail addresses and passwords.

In the last few months, there have been a slew of attacks against the following sites: LinkedIn, eHarmony, Last.fm, Yahoo, Android Forums, Billabong, Formspring, Nvidia, and Gamigo, among others. I doubt they were all SQL injection attacks, but I wouldn't be surprised if many were.

"Many, many sites have lost customer data in this way," Chris Hinkley, a Senior Security Engineer at FireHost, said in a statement. "SQL injection attacks are often automated and many website owners may be blissfully unaware that their data could actively be at risk. These attacks can be detected and businesses should be taking basic and blanket steps to block attempted SQL Injection, as well as the other types of attacks we frequently see."

See also:

Editorial standards