Hack on e-commerce co. exposes records for 200,000
'Highly unusual search command'
E-commerce company Digital River exposed data belonging to almost 200,000 individuals after hackers executed a “highly unusual search command” against its secured servers, according to a news report.
The breach came to light only after a 19-year-old New York man allegedly tried to sell the purloined data for as much as $500,000, The Minneapolis Star-Tribune reported Friday. After Eric Porat made repeated attempts to persuade a company called Media Breakaway to buy the information, company officials alerted their counterparts at Digital River, the paper reported, citing court documents. A federal grand jury is investigating the matter with help from the FBI.
The data contained names, email addresses, websites, and unique user-identification numbers for 198,398 individuals. It was originally gathered by affiliated marketing companies using software offered by Digital Rivers subsidiary Direct Response Technologies and stored on password-protected servers.
It was stolen in late January using a “highly unusual” search command. The report didn't elaborate.
Porat, who lives at home with his parents, allegedly claimed to offer the data to the highest bidder. He told the CEO of Media Breakaway he obtained it from a former Digital River consultant, who managed to siphon it off the servers when security systems were taken down temporarily.
Orders filed under seal last month block Porat from selling, destroying, altering, or distributing the data. Documents in the case were unsealed on Wednesday, but court documents weren't available online at time of writing. ®
But of course
Bobby Tables strikes again.
Stored queries only
If you need to run any reasonably secure system you should only allow pre-stored queries to be run, with the parameters fully checked.
On things like banking systems even the programmers aren't allowed to generate queries - they can only call stored procedures, written by a different group and *thoroughly* checked.
If you allow the user to generate a query you are handing them the keys and hoping they won't use them.
Or like % :D
A percentage sign in the right field, perhaps? I suppose blaming the problem on 'OMG haxx0rz!' rather than third-world rent-a-coders doing stuff on the cheap makes more sense from a damage limitation perspective.