It seems someone was able to hack Kaspersky’s database via their website using a “simple SQL injection”. As far as I know, the database was not their virus/spyware signature database, but rather their corporate database (which is connected to their website) that contains information on their products, customers, bugs, activation codes, etc.
According to the hacker, known as ‘unu’, all you have to do is “alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.”. The hacker provided the following screenshots:
“Version, user and name of the database”
“User host & password for mysql.user”
“Colons name, and the name of userstable table”
In addition, unu also provided a full list of tables he was able to access at HackersBlog. It is worth noting unu has pledged he will not make public any “personal details or activation code” that he was able to attain from the databases.
According to The Register, Thomas Ptacek, a researcher at security provider Matasano, claimed the hack “looks very real” while Roger Thompson, chief research officer at competing anti-virus provider AVG, wrote “Can’t tell for certain, but it looks legit.”
The disturbing thing is that The Register goes on to say that if this proves to be true (and note that Kaspersky has yet to comment on this matter), “it wouldn’t be the first time a Kaspersky site has been hit by a SQL injection attack” citing an example of how the Malaysian Kaspersky website was hacked last year and referencing to 36 other times Kaspersky has been hacked before.
Even though this security vulnerability does not seem to effect their antivirus capabilities, I must say I am glad I switched to Avira. However I still have a Kaspersky subscription that I use on my other computers and I find it scary that a hacker was able to gain access to my information! For a security firm this is epic fail. Seems Obama has caused Putin to let his guard down.