Dan Goodin reports:
A security lapse at Kaspersky has exposed a wealth of proprietary information about the anti-virus provider’s products and customers, according to a blogger, who posted screen shots and other details that appeared to substantiate the claims.
In a posting made Saturday, the hacker claimed a simple SQL injection gave access to a database containing “users, activation codes, lists of bugs, admins, shop, etc.” Kaspersky has declined to comment, but two security experts who reviewed the evidence said the claims appeared convincing.
Read more on The Register
Goodin follows up with:
Some 24 hours after a hacker claimed to hack a Kaspersky website and access a database containing proprietary customer information, the security provider issued a terse statement confirming it had experienced a security issue.
On Saturday, February 7, 2009, a vulnerability was detected on a subsection of the usa.kaspersky.com domain when a hacker attempted an attack on the site,” read the statement, which was released Sunday afternoon.
“The site was only vulnerable for a very brief period, and upon detection of the vulnerability we immediately took action to roll back the subsection of the site and the vulnerability was eliminated within 30 minutes of detection. The vulnerability wasn’t critical and no data was compromised from the site.”
That tells part of the story, but here’s the part Kaspersky leaves out. According to an admin named Tocsixu at the site that exposed the breach, the hacker who originally discovered the vulnerability did so days earlier and only went public after getting no response from more discreet communiques with Kaspersky employees.