Security firm Kaspersky has confirmed a customer database was exposed for up 10 days and its Web site was eventually hacked. But it insists no personal information was exposed and denies ignoring warnings from the hackers.

The firm is now hiring the highly-regarded security expert David Litchfield to examine the breach in detail and recommend ways to prevent similar attacks. Kaspersky’s Roel Schouwenberg said, “This should not have happened. We are now doing everything within our power to do the forensics and prevent this from ever happening again.”

The problem was down to a new section of code, developed by an outside party, which was inserted into the support section of Kaspersky’s US Web site. The code left the relevant database open an SQL injection attack in which hackers are able to carry out queries which aren’t meant to be publicly available.

The new code went live on Jan. 28. A hacker calling himself Unu e-mailed the firm last Friday about the vulnerability and then hacked the site an hour later. Kaspersky apparently didn’t seem the e-mail at the time, but discovered the hack on Saturday and reverted to the old code 15 minutes later.

The hacker only managed to get access to the structure of the database; a more skilled attacker may have been able to get to the data itself. That would have exposed 2,500 customer e-mails and around 25,000 activation codes for Kaspersky’s security products.

It appears the offender is from Romania. Kaspersky isn’t pursuing legal action as it believes authorities in that country won’t provide enough support to make the effort worthwhile.

The same hacker is now claiming to have broken into a database belonging to a Portuguese seller for another security firm, BitDefender. He appears to have been more successful in this attack and has published what appear to be personal details of customers.

Related:

Entry was posted on Tuesday, February 10th, 2009 at 5:44 pm under Antivirus, Hacking, Security.

Read more entries by John Lister.
Stumble It!