SQL injection attack reveals Kaspersky Lab's customer database
"This is not good for any company, especially for a company dealing with security," said Roel Schouwenberg, a Kaspersky senior antivirus researcher, in a telephone conference call today. "This should not have happened."
According to Schouwenberg, no customer data was accessed. "No real data has been accessed, and no data was revealed," he said.
The hackers, who are presumed to be Romanian, went public early Saturday in a blog post. There, they claimed that after launching a SQL injection attack on Kaspersky's U.S. support site, they were able to access a customer database that included e-mail addresses and software activation codes.
Schouwenberg confirmed that the database was hacked via a SQL injection attack, but he reiterated that only the database's table labels had been accessed by the hackers, not the data itself. "A more advanced hacker could have gotten access to the information," Schouwenberg acknowledged, "including activation codes for the product and e-mail addresses. But that didn't happen."
A pool of approximately 2,500 users' e-mail addresses and some 25,000 activation codes were at risk, he said.
Schouwenberg blamed a combination of vulnerable code crafted by an unnamed third-party vendor and poor code review by Kaspersky. "We could have done a bit more to protect ourselves," he said. He also acknowledged that both internal and external monitoring of the company's Web properties had not caught the error. "A piece of the [support] site did not receive the usual scrutiny," said Schouwenberg.
The revamped support site, part of the company's U.S. operations, had been relaunched Jan. 28, leaving the database open to attack from that time until 12:15 p.m. (EST) Saturday, when Kaspersky took the new site offline and swapped in the old version.
Kaspersky has hired Next Generation Security Software Ltd.'s David Litchfield, one of the world's experts on SQL injection attacks and database security, to do an independent audit of the company's systems. Schouwenberg said Kaspersky would make public the results of Litchfield's report, which is expected shortly.
"Something went wrong with our internal code-reviewing process," said Schouwenberg. "Obviously, we are not happy about that." Kaspersky is evaluating that process, he added, and the company "will be making it stricter than it was. We need to do a much better job to prevent this from happening again."
SQL injection attacks have become a major problem for Web sites, which at times have been compromised by such exploits in huge numbers. Last year, for example, more than half a million pages were hacked by a widespread campaign that compromised, among others, sites belonging to the United Nations.
Other high-profile sites that have been victimized by SQL injection attack include Microsoft's U.K.-based site.