Join
2
0 Comments

SQL Injection: Real Life Attacks and How it Hurts Business

by Julia

A single malware request can hurt your business. Vulnerabilities of your code can result in:

  • Significant data theft
  • Loss of your customers' trust
  • Financial losses for you & your users
  • Serious fines from regulatory authorities
  • Getting blacklisted by Google

…Brand, traffic, money, customers' relationships, website and even business could all be lost in a moment.

Over the past 20 years, many SQL injection attacks have targeted large and small websites, business and social media platforms. Some of these attacks led to serious data breaches. A few notable examples are listed below.

##Breaches Enabled by SQL Injection

Over 100 million payment card records stolen. $200 million paid out in compensation

Heartland, a company specializing in payment, POS, and payroll systems, had been attacked by SQL injection. Heartland suffered irreparable damage, losing a large portion of customers and over $200 million paid out in compensation. Within months of the incident, their stock prices fell 77%.

Data theft on 5 million websites

In 2021, WooCommerce, a popular ecommerce plugin for WordPress CMS, was found that several of its plugins, features, and software versions were vulnerable to SQLi, and several attacks occurred as a result. Unpatched flaws in the plugin exposed data on 5 million websites to theft.

Hackers stole 8.3M records via SQL injection

In 2020, Freepik, one of the largest online graphic resources sites in the world with 18 million monthly unique users, says that hackers were able to steal emails and password hashes for 8.3M Freepik and Flaticon users in an SQL injection attack against the company's Flaticon website.

36,000 personal data stolen

Hackers targeted 53 universities using SQL injection, stole and published 36,000 personal records belonging to students, faculty, and staff.

130 million credit card numbers stolen

A team of attackers used SQL injection to penetrate corporate systems at several companies, primarily the 7-Eleven retail chain, stealing 130 million credit card numbers.

1500 clients were impact

Kaseya, an IT solutions provider for MSP and enterprise clients, was a victim of a ransomware attack in 2021. Attackers exploited unpatched SQL vulnerabilities in the company’s VSA servers to impact over 1500 of Kaseya’s clients.

Notable SQL Injection Vulnerabilities

3 million WordPress sites had vulnerabilities by critical SEO plugin flaw

Two critical and high severity security vulnerabilities in the highly popular "All in One" SEO WordPress plugin exposed over 3 million websites to takeover attacks.

SQLi let to access 350 million user accounts

Fortnite is an online game with over 350 million users. In 2019, a SQL injection vulnerability was discovered which could let attackers access user accounts. The vulnerability was patched.

Tesla vulnerability

In 2014, security researchers publicized that they were able to breach the website of Tesla using SQL injection, gain administrative privileges and steal user data.

Cisco vulnerability

In 2018, a SQL injection vulnerability was found in Cisco Prime License Manager. The vulnerability allowed attackers to gain shell access to systems on which the license manager was deployed. Cisco has patched the vulnerability.

Vulnerabilities in the plugin, used in over 100,000 active sites

In December, 2022, the WordPress online course plugin 'LearnPress' was vulnerable to multiple critical-severity flaws, including pre-auth SQL injection and local file inclusion.

Preventing SQL Injection Attack

How to reduce risk and protect code from vulnerabilities we'll talk about in the next article.

Avatar for Julia Julia
posted to Icon for group Web Development
Web Development
 on April 28, 2023
Say something nice to PhpSecure…
Post Comment
Trending on Indie Hackers
We just hit our first 35 users in week one of our beta User Avatar 48 comments From Ideas to a Content Factory: The Rise of SuperMaker AI User Avatar 27 comments Why Early-Stage Founders Should Consider Skipping Prior Art Searches for Their Patent Applications User Avatar 20 comments What Really Matters When Building an AI Platform? User Avatar 19 comments Codenhack Beta — Full Access + Referral User Avatar 17 comments As a founder we need ideas,insights and lessons, here are some take aways that I've got from HN last week User Avatar 14 comments