Telegraph.co.uk hacked, SQL injection (updated)
The HackersBlog crew, who had previously exposed vulnerabilities in a number of security vendor sites and a social networking site, now reports that they were able to exploit an SQL injection vulnerability to access The Telegraph‘s databases, including one that has 700,000 email addresses and passwords of those receiving the paper’s newsletter. Given how many people continue to use the same password for multiple purposes, Telegraph readers who signed up might want to use this as a wake up call to change their passwords on other accounts. The blog points to a Trend Micro blog entry by Rik Ferguson for advice on passwords.
So far, I do not see any acknowledgement or mention of the hack on The Telegraph‘s site.
Update 3-09-09: John Leyden of The Register reports:
In a statement, Paul Cheesbrough, chief information officer for Telegraph Media Group, said the attack affected a partner site and not the main Telegraph website.
“The hack interrogated database tables behind one of our partner sites – search.property.telegraph.co.uk – and exposed a weakness in the way that particular site had been coded,” Cheesbrough said.
“The problem being highlighted does not affect the main telegraph.co.uk site, as some of our competitors are reporting, but the Telegraph Media Group does take anything that potentially compromises the security of our site and the data that we hold extremely seriously. We immediately took the impacted site down on Friday, and the two-year-old third party code is being re-written to eliminate the issues that hackersblog.org brought to our attention.”