Welcome to your weekly hack update, in which a major company admits its perimeter was breached and someone made off with piles of sensitive data. In this installment: Nokia, the Finland-headquartered mobile device manufacturer, and their online development community.
Yep, that community was reportedly infiltrated by ne’er-do-wells who may have subsequently pilfered members’ personal information, including birth dates and email addresses. According to the Wall Street Journal, Nokia opted to shutter its online developer community until “further investigations and security assessments were complete.”
“During our ongoing investigation of the incident we have discovered that a database table containing developer forum members’ email addresses has been accessed, by exploiting a vulnerability in the bulletin board software that allowed an SQL Injection attack,” said Nokia in a message on the developer site. “Initially we believed that only a small number of these forum member records had been accessed, but further investigation has identified that the number is significantly larger.”
The attack originally occurred last Monday, August 22, and while Nokia acknowledged it at the time, the company then mistakenly believed it was just a bit of “redirection” tomfoolery: the site was defaced and redirected to another with the message “LOL, Worlds number 1 mobile company but not spending a dime for a server security! FFS patch your security holes otherwise you will be just another antisec victim. No Dumping, No Leaking!!”
Except that last bit may have been a head-fake. According to Nokia today, “The database table records [exposed] includes members’ email addresses and, for fewer than 7% who chose to include them in their public profile, either birth dates, homepage URL or usernames for AIM, ICQ, MSN, Skype or Yahoo.”
The good news: Those database records didn’t contain passwords or credit card info.
Another week, another company brought low by groups tumbling corporate security measures on a lark. Maybe it’s time for a song: I hack you, you hack me, we’re a hack-y…or okay, maybe not.