According to a posting on hackersblog.com, the Romanian attacker who launched SQL injection attacks on Kaspersky and BitDefender has now successfully penetrated the Web defenses of F-Secure, as well.
"[The F-Secure site is] vulnerable to SQL injection plus cross site scripting," the posting says. "Fortunately, F-Secure doesn't leak sensitive data, just some statistics regarding past virus activity."
An F-Secure spokesman told news reporters the breach occurred on a low-level server that doesn't contain sensitive data, only marketing statistics. "It is slightly embarrassing as a security company that we have had the breach," said F-Secure's David Frazer, in a news report. "We certainly, as a security company, want to ensure that all of our servers are patched to the levels that they should be."
On Monday Kaspersky conceded that a Romanian hacker had launched a SQL injection attack on its newly implemented U.S. customer support site, exposing a potentially data-threatening vulnerability in its Website. The attacker did not publish any sensitive data, even though he could have gained access to it, Kaspersky said.
The hacker, known as "unu," launched a similar SQL injection attack on the Website of security vendor BitDefender in Portugal, ostensibly as part of an ongoing effort to expose the vulnerabilities in the vendors' systems. "It seems Kaspersky aren't the only ones who need to secure their database. Bitdefender has the same problems," unu said in an online message. BitDefender confirmed that the breach had occurred.
An anonymous reader on the hacker's blog site wondered which vendor the attacker will be hit next. Chances are, many security vendors are wondering the same.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message