SQL injection used in the largest data security breach in U.S. history to date

Three men, responsible for the largest data security breach in U.S. history, stole 130 million credit and debit card numbers from five leading companies.  They took advantage of a coding error, and allegedly used a SQL injection attack to compromise a web application, which was used as the starting point to help them bypass company network firewalls and gain access over companies’ networks.

One of the main problems large enterprises are facing is that although SQL injection errors are relatively easy to find, they are difficult and costly to fix.  Developers need to have proper security skills, and keep security in mind when developing custom web applications.  Although automated web vulnerability scanners such as Acunetix WVS must always be accompanied by manual penetration testing, they help developers in saving time in securing their web applications and sharpen their security skills, to develop secure web applications before they are pushed into a production environment.

Unfortunately, while hackers used to hack websites to measure their abilities, and for the thrill hacking brings along with it, nowadays, websites and web applications are a money making target.  This is because most of these web applications form part of an organization’s perimeter network, and once compromised, they are used as a base to launch further attacks to gain access over an entire organization’s network.

  • well, tbh…thats what those companies get for not securing their code. Also, it is rhetorically idiotic to store customer’s credit card information. Isn’t this against privacy laws in certain countries? Oh well, I assume that the fearmongering that us hackers are “evil”. Good job at smearing our title whitehats…good job.

  • Most coders are so sloppy in their personal work ethic anymore, it’s all a really bad joke. I don’t care if the bloke is a Linux, Windows, or mainframe Cobol programmer … the entire lot of them are getting pathetic. Half the time they’re using canned code and routine libraries bought from somewhere else that they have no idea how it works. These new Playstation/XBox/Wii era programmers can’t even pseudo-code or flow chart anymore. I tell you, OS and application development has gone down the ol’ poop tube if you asked me the last few years from the lazy lot who call themselves programmers. Securing code? Checking for buffer overflows? Security and error checking is the last thing on their minds. They’re happy if it just compiles and then they go “job done” …

    • Agreed. That is why it is very important to use tools to train and educate developers, especially in the security field.

  • Wow, the comments must come from some really p*ssed of people. Have been burnt before perhaps?

    I think where there is a will, there is a way. You can never be a 100% fool proof, but sites and tools like this one are pretty useful in getting there…

  • I can understand them being able ot bypass security and steal the info (we all know that data protection is one of the stiffest cahllenges facing any corporation), but why was the data they stole unencrypted? They should have stolen a big pile of inaccessible data, not millions of usable credit card numbers.

  • Leave a Reply

    Your email address will not be published.


    *