A Romanian hacker broke into a custom built, U.S.-based Kaspersky Lab support website on Saturday, exposing a server...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
containing thousands of customer email addresses and up to 25,000 activation codes.
Kaspersky's Roel Schouwenberg, a senior research engineer, said the company was conducting a full investigation into the matter. Initial analysis showed that the hacker accessed no data files, he said. The Russian-based antivirus company hired high-profile database security expert David Litchfield to conduct an independent audit of its systems.
"This is not a good for any company, especially a company that deals with security," Schouwenberg said. "This should not have happened and now we're doing everything in our power to do forensics in this case and prevent it from ever happening again."
Kaspersky's support website is the central portal for home and business users to access technical support documents and a help forum. Schouwenberg said it was custom built and went live in the U.S. on Jan. 29. The website contained a coding error, which was attacked by the Romanian hacker, known as Unu, via SQL injection.
"Something obviously went wrong with our internal code reviewing process," Schouwenberg said.
Once successfully exploited, the hacker could have gained access to a server which contained about 2,500 email addresses and thousands of activation codes, Schouwenberg said. The server contained no credit card numbers or sensitive customer account data, he said.
Details of the attack were posted on the Hackersblog.orgforum where the hacker claimed to have gained access to the customer data and user accounts. The hacker said he notified Kaspersky in advance of his attack, but received no response. The hacker also claimed to have exploited a similar vulnerability in BitDefender's Portuguese website.
Schouwenberg said the company received an email an hour before the attack, giving researchers little time to respond to the vulnerability. The site was taken down about 30 minutes after details of the attack leaked. It was repaired and back online early Sunday morning.