AV firm BitDefender Hacked; Did Not Encrypt Customer Passwords



bitdefender_hackedI saw it first at The Hacker News. Mohit Kumar, Founder and Editor-in-Chief had the scoop and his analysis hit the nail on the head: "The Data breach in BitDefender is incredibly embarrassing for the security firm, not because the company failed to prevent its customers data from hackers, but because the Security company failed to encrypt its customers’ most sensitive data."

You would really expect Infosec people like BitDefender to apply common security principles to their own website and not get caught with their pants down in a SQL injection hack which then exposes unencrypted customer passwords. OUCH.

Thing is, in the AV industry, BitDefender is known as one of the best AV engines out there, if not the best. They always score very high on the quarterly industry tests at Virus bulletin. The Romanian security company admitted its system was breached and said that the attack on its system didn’t penetrate the server, but a security hole "potentially enabled exposure of a few user accounts and passwords". "The issue was immediately resolved, and additional security measures have been put in place to prevent its reoccurrence," the company’s spokesperson said in a statement. "Our investigation revealed no other server or services were impacted."

Bitdefenders' Marius Buterchi confirmed the hacked accounts, and said the company was “Aware of the issue and have reset the passwords for the customers who’s credentials have been made public.” He added “They are actively investigating how these passwords were made public.”

Hacker Demands Ransom Money....

The hackers made off with a "very limited" number of credentials of its customer, following rumours that they are threatening to release the leaked data publicly unless the ransom of $15,000 is paid by BitDefender. Over the weekend, the hacker online exposed a list of usernames and passwords for more than 250 BitDefender accounts. You can read the story blow by blow at HackerFilm.
Again, the 3 weak links are people, policy and procedure, not technology! 

 

 


Topics: IT Security

Subscribe To Our Blog


New call-to-action




Get the latest about social engineering

Subscribe to CyberheistNews