Security vendor Barracuda Networks has confirmed that hackers successfully used a relatively simple technique to access an internal database via its website.
The Malaysian hackers used a SQL injection, in which database querying code is inserted through a web form, on the company’s website, gaining access to employee email addresses and sales contacts.
Barracuda Networks, which sells web and email security products, says the web application firewall it uses to protect its website "was unintentionally placed in passive monitoring mode and was offline through a maintenance window" at the time of the attack.
Earlier this year, Barracuda published a report that found that 74% of organisations have been hacked at least once in the last two years through insecure web applications. It found that while website hacks were the number one concern among the surveyed security professionals, few organisations test their web applications for security vulnerabilities.
"The state of web application security is dismal," the company wrote at the time.
Barracuda Networks is the latest in a string of security companies to have suffered sucessful attacks. Last month, RSA Security admitted its website had been compromised in "an extremely aggressive cyber attack", while more recently a hacker was able to steal web security certificates from certification authority Comodo.