Data theft at network security firm
US security firm Barracuda Networks reports that, last Saturday (9 April), criminals hacked into its company website and stole customer and staff data. To prove that they were successful, the intruders have made available parts of the stolen database. Barracuda specialises in server and web application security and claims to be the "worldwide leader in email and web security appliances".
For their attack, the intruders successfully managed to exploit an SQL injection hole in a PHP script for displaying customer references. The stolen data includes names and email addresses, as well as password hashes, although Barracuda said that the hashes are salted and can, therefore, only be cracked using considerable force.
The company says that its web site is protected by its own brand Web Application Firewall, but that this firewall went down for maintenance the evening before the attack. The attackers reportedly used a script that sent requests to the server for two hours before it eventually discovered the vulnerable code. Security firms appear to have become a particularly attractive target – HBGary, RSA and Comodo were recently also broken into.