The Kaspersky hack, discovered over the weekend, exposed 2500 email addresses to potential attack, along with 25000 activation codes for the company's home user product.
Roel Schouwenberg, Sr. Anti-virus Researcher, Kaspersky Lab, Americas, explained that the SQL injection attack occurred following the use of some code on a support website that did not go through its internal code review process. The code was written by an external contractor whose identity the company would not reveal, using code libraries written by Kaspersky staff. "This part of the code did not receive the usual scrutiny," he said.
Kaspersky changed its story slightly from this weekend, when it had said that the breach existed for only half an hour. In a conference call yesterday, Schouwenberg said that the new support site was vulnerable from its launch on 29 January through to the discovery of the vulnerability on 7 February. However, he added that although the emails and IDs were exposed, the company was confident that the breach had not resulted in any actual data loss. "We did an internal forensic analysis which showed that no data was leaked. We've hired David Litchfield to conduct an independent forensic analysis on the machine," he added.
Schouwenberg admitted that the breach was damaging to the company's reputation. "This is not good for any company, and especially a company dealing with security. This should not have happened. We are now doing everything in our power to do the forensics on this case and to prevent it from ever happening again," he concluded.
In the meantime, the hacking forum that posted information about the Kaspersky vulnerability appears to be on a roll. Yesterday it posted details of what it said was a similar SQL injection attack against BitDefender.pt, which the hackers originally took to be the Portugese site for BitDefender. In fact, the site is owned by Uptrend, a reseller partner for the company. The hackers claim to have access to thousands of customer records for that site, which will create further questions about the role of security software vendors in conducting due diligence on their own sites, and those of their channel partners.
Uptrend's site (translated) appeared to have no information about the breach as of 5am Lisbon time this morning.
Unlike Kaspersky, which was fielding emails over the weekend, BitDefender did not respond to requests for comment yesterday.