It all kicked off last night with a posting to hacker board claiming to have carried out a relatively simple SQL Injection attack on one the world's biggest and best known IT security companies: Kaspersky.

The hacker, currently only know as 'unu' claims that the SQL Injection attack on has exposed activation codes, user details, bug lists and so on. "Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own data bases. Seems incredible but unfortunately, its true. Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc" unu says.

If this proves to be true, and Kaspersky has yet to confirm or deny the claims, it will prove to be hugely embarrassing as it exploits one of the simplest of hacking methodologies - the old change a bit of the URL trick. Here at DaniWeb we exposed how an online visa application system fell victim to the same tactic, potentially exposing the personal details, including passport numbers and travel plans, of hundreds of thousands of Indian citizens. Our revelation ultimately led to the UK Foreign Office being found guilty of breaching the Data Protection Act.

So has Kaspersky been hacked? Well Kaspersky is obviously investigating and will no doubt issue a statement sooner rather than later. I would expect for first thing Monday morning at the very latest if it wants to keep a lid on this thing. However, the screen shots that have been posted at the hacker blog certainly seem convincing enough and do tend to suggest that it could be for real.

The Register reports that this is not the first time Kaspersky has been on the wrong end of a SQL injection attack. El Reg says Kaspersky's Malaysian site and some subdomains were defaced by a pro-Turkish hacker in July, and there have been a total of some 36 Kaspersky website defacements since the year 2000.

Gunter Ollmann, the chief security strategist at IBM Internet Security Systems, is certainly in no doubt over the seriousness of the claim, warning "...this type of critical flaw can probably be used to usurp legitimate purchases and renewals of their products - which could include the linking to malicious and backdoored versions of their software - thereby infecting those very same customers that were seeking protection from malware in the first place."

About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...