Security company Barracuda Networks was itself hit by a security breach over the weekend that exposed certain information from its databases.
An unknown hacker, who apparently took credit for the break-in, launched an attack that exposed a list of Barracuda databases along with the names, phone numbers, and e-mail address of various Barracuda partners.
The attack also uncovered the e-mail addresses of different Barracuda employees along with their passwords. Though the passwords were encrypted, they were done so using a hashing algorithm called MD5, which is considered by many to be a flawed and outdated encryption method.
The attacker grabbed the information using an SQL injection script, which can exploit security holes in a database to retrieve or modify data.
In a blog posted yesterday, Barracuda Executive Vice President Michael Perone acknowledged the breach of the corporate Web site data. Perone confirmed that only names and e-mail addresses were captured and that no financial information was stored in the databases that were hacked.
Even though no vital or secure data was stolen, the incident is still an embarrassment for Barracuda, which is in the business of providing security to its corporate customers. And in allowing such a cyberattack, the company admitted that it made a mistake.
Pointing to a series of events that led to the breach, Perone explained that Barracuda's firewall was accidentally put into a passive monitoring mode and had essentially been offline during maintenance since Friday night. That gave the attacker an open door to sniff around the site in search of security holes. The attacker eventually found one in the form of an SQL injection weakness in a PHP database script, which allowed the data to be exposed.
The incident reminded Barracuda of a few key points, explained Perone: 1) You can't leave a Web site exposed for even a day or less; 2) Vulnerabilities in code can happen far away from the data you're trying to protect; and 3) Companies can't be complacent about coding practices or other operations, even with a firewall in place.
Perone added that Barracuda has been notifying people whose e-mail addresses were exposed and that the company apologizes for the incident.