Officials at anti-virus vendor Kaspersky Lab are adamant that no data was stolen during a hack of its U.S. support site over the weekend.
According to Kaspersky Lab, on Feb. 6, a hacker exploited a flaw on the Web site to launch a SQL injection attack. After Kaspersky officials received word of the breach Feb. 7, they took down the vulnerable site and replaced it.
The security company maintained in a press conference Feb. 9 that no data had been leaked. However, the anonymous hacker behind the attack publicized table names purportedly taken from a Kaspersky database the hacker accessed.
“This time I will not (for reasons that need no explanation) publish any screenshot … containing personal details or activation code,” the hacker wrote on a blog. “I will only make public the names of the tables. Though the list is long, the table(s) are very interesting.”
According to the company, the problem was due to the site not properly validating user input. Roel Schouwenberg, senior anti-virus researcher at Kaspersky, confirmed that the names of the tables are accurate. However, having the names of the tables does not mean the hacker actually accessed them, he noted in an interview with eWEEK.
Schouwenberg added that no credit card data was stored on the server targeted by the hacker, though there were product activation codes and 2,500 e-mail addresses for people who signed up for a product trial.
“This shouldn’t have happened,” Schouwenberg said during a separate conference call with the press, adding he was worried about the impact the hack would have on Kaspersky’s reputation.
The vulnerable code the hacker took advantage of to launch the attack was developed externally and did not go through Kaspersky’s normal code review process, Schouwenberg said.
To reassure customers that no data was actually exposed, the company has hired well-known database security expert David Litchfield of NGSSoftware (Next Generation Security Software) to perform an independent investigation of the incident.