An enterprising hacker has broken into the US website of security company Kaspersky Lab, accessing a database containing a range of confidential customer and company information.
The anonymous individual has made public table names from the Kaspersky US sales database , which mention ‘codes', ‘users', ‘activation codes', and ‘trials downloaded' among a long list of obviously confidential fields. It is not clear from the posting to what extent private user information could have been compromised.
The hacker also appears at the same time to have carried out the latest in a long line of website defacement attacks on Kaspersky USA, in which he or she uses the identifier ‘m0sted'.
Because this is a database attack, the assumption is that, as claimed by the hacker, this involved an SQL injection attack of the sort that have becomes a favoured way of undermining commercial websites in the past year. The supplied screenshots posted from the internal areas of the site backs up that claim.
"This time I will not (for reasons that need no explanation) publish any screenshot with containing personal details or activation code," says the hacker to demonstrate that this attack was at least a ‘technical' rather than a criminal attack. Had the attacker been a professional, it is unlikely the world would have got to hear about it.
"Yes, that sql injection in usa.kaspersky.com is very real. Still, Kaspersky team doesn't need to worry about us spreading their confidential stuff. Our staff will never save or keep any confidential data, we just point our fingers to big websites with security problems."
The incident will go down as an embarrassing moment for Kaspersky, a company that prides itself on its engineering expertise and security nous.
"On Saturday, 7 February 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site. Upon detection of the vulnerability Kaspersky Lab USA immediately took action to roll back the sub-section of the site to eliminate the risk," said the company in an official statement on Monday.
"We want to assure all UK customers that this was an attack on the US Kaspersky Lab site and has not affected the UK in any way. The US website infrastructure is hosted and operated independently, therefore the breach was confined to the US only. It is important to stress that the attack did not have a malicious end and no data was exposed due to the vulnerability."
In case Kaspersky think they have been singled out for their weakness, the same hacker has posted details of a similar but even more recent attack on the Portuguese website of security software rival, BitDefender. That also appears to have revealed information of customers buying software from the online wing of BitDefender in that country.