Wow. What a weekend. In case you haven't heard, Barracuda Networks was the latest victim of a SQL injection attack on our corporate Web site that compromised lead and partner contact information. The good news is the information compromised was essentially just names and email addresses, and no financial information is even stored in those databases. Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords. However, all active passwords for applications in use remain secure.
So, the bad news is that we made a mistake. The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8, 2011) after close of business Pacific time. Starting Saturday night at approximately 5pm Pacific time, an automated script began crawling our Web site in search of unvalidated parameters. After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market. As with many ancillary scripts common to Web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees. The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later. We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.
This latest incident brings home some key reminders for us, including that:
- You can't leave a Web site exposed nowadays for even a day (or less)
- Code vulnerabilities can happen in places far away from the data you're trying to protect
- You can't be complacent about coding practices, operations or even the lack of private data on your site - even when you have WAF technology deployed
Before responding prematurely to the press or to anyone else, we wanted to make sure we had time to sift through our logs and do a bit of communication. We're glad that the impact will be very minimal, but we're not happy about the amount of bandwidth we've spent assessing what happened, responding to affected parties and putting in place the steps to prevent it in the future.
We are working to notify everyone whose email addresses were exposed, and we apologize for the inconvenience.