Update: Kaspersky website was hacked - reports

A hacker gained access to security firm Kaspersky's US website and hundreds of customer details after exploiting a SQL flaw on the site, according to reports.

Share

A hacker gained access to security firm Kaspersky's US website and hundreds of customer details after exploiting a SQL flaw on the site, according to reports.

Details of the attack were posted on the Hackersblog forum.  The hacker, known as Unu, also gained access to personal information of hundreds of Kaspersky customers, including user accounts, and activation codes.

Kaspersky told The Register : "On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site".

"The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn't critical and no data was compromised from the site."

A spokesperson for the UK firm said the attack "has not affected the UK in any way".

"The US website infrastructure is hosted and operated independently, therefore the breach was confined to the US only."

"It is important to stress that the attack did not have a malicious end and no data was exposed due to the vulnerability."

Unu told the news website that he has warned Kaspersky about the flaw but has never had a response.

Another hacker from the forum said: "This vulnerability could have been critical if it were to be exploited by someone bad intended because several sensitive informations could have been extracted, like usernames, emails, passwords, codes, mysql users & passwords, etc".