SQL injection exposes nearly 20,000 usernames and passwords

Nov 21, 2016 12:41 GMT  ·  By

The Hungarian Human Rights Foundation website was hacked a few minutes ago by Kapustkiy and CyberZeist, who managed to get access to over 20,000 accounts and personal information, including phone numbers and home addresses.

Security pentester Kapustkiy told us that the data breach was possible with a SQL injection, which provided him with access to databases that included thousands of accounts, including some that are related to the US government (using the @state.gov suffix).

Just as usual, Kapustkiy decided to leak only part of the accounts and give IT administrators more time to fix the flaw.

In a private conversation a few minutes ago, he told us that he already contacted them to report the flaw and the security team said it would investigate the breach, but for the moment, the website still appears to be up and running.

It goes without saying that the breach is critical for the Hungarian Human Rights Foundation website, especially because the leaked information includes personal details of registered users, but it remains to be seen how fast the organization manages to fix it.

Other recent breaches

Kapustkiy found several other vulnerabilities in high-profile websites, including one that allowed him to infiltrate into an Italian government website and access details of thousands of users.

The Dipartimento della Funzione Pubblica was hacked last week using a similar method and Kapustkiy revealed that he reached details of 45,000 accounts, including login credentials, such as usernames and passwords. As is the case today, he leaked only part of the data, with Italian IT admins taking the website down during the weekend to fix the vulnerability.

We have also contacted the Hungarian Human Rights Foundation for a statement on the data breach and will update the article when a response is offered. For the moment, however, if you’re one of the users impacted by the leak, the best thing you could do is to change your password as soon as possible.

Update, November 22: The  Hungarian Human Rights Foundation website is now down for maintenance, as the security team is now investigating the breach. Kapustkiy removed all leaked documents from the web, as his mission here is done.