Third security vendor in F-Secure hit by hackers

F-Secure is the latest security company to have fallen victim to a SQL injection attack from hackers, after Kaspersky and BitDefender websites were successfully broken into.

Hackers, believed to be Romanian, posted on Hackersblog.org that it had successfully performed a SQL injection and a cross-site scripting (XSS) attack on F-Secure.com. Fortunately this time F-Secure didn't leak sensitive data just statistics regarding past virus activity.

F-Secure revealed on its blog that the hit occurred early Thursday morning. One of its malware statistics gathering servers had a page that failed to sanitise input, which made it vulnerable to attack. However, F-Secure used a defence-in-depth strategy so the attack was only "partially successful."

It said: "Although the attackers were able to read information from the database they couldn't write or manipulate it. They couldn't access any other data on the server because the SQL user only had access to its own database, which only contains public information that is shown on our statistics pages.

"So while the attack is something we must learn from and points we need to improve, it's not the end of the world," the blog added.

The F-Secure website is the third website from a security vendor to be hit by the hackers in a week. The hack of the US Kaspersky website was much more serious because it led to sensitive data being accessed such as customers' personal details.

BitDefender's website in Portugal (owned by a partner) was also hacked. However, customer data wasn't taken in any of the cases, and seems to be simply a case of hackers trying to demonstrate website vulnerability, rather than to steal information.