Symantec is sending out notification emails to Road Runner Safe Storage customers, alerting them to a security incident that has involved WhaleMail and SwapDrive accounts.
“Recently, an unauthorized third party accessed one of our databases. As soon as we learned of the attack, we limited all access to the database and thus the vulnerability was eliminated. However, as a result of this incident, your account credentials may have been exposed,” the emails read.
While the company reassures users that their credit card numbers and social security numbers are safe, the attackers may have stolen names, email addresses, usernames, passwords, secret questions and their answer and, in some cases, billing addresses.
To prevent any incidents, all passwords have been disabled. Now, when users log into the service, they will have to utilize the “Forgot your password” feature to retrieve and reset their passwords.
As always, potential victims are advised to change the passwords of all accounts that share the same credential combination.
And here comes the interesting part. Back in July, a group of hackers contacted us, claiming to have found several security holes in websites associated with Symantec’s SwapDrive (swapdrive.com was one of them).
They claimed that the vulnerability allowed them to easily gain access to databases and extract user information. One of the flaws they found was an SQL Injection vulnerability, the details of which they published at the time.
Interestingly, according to the FAQ released after this incident on SwapDrive.com, the attackers launched an SQL Injection attack to penetrate their systems.
At the time when we obtained the proof-of-concept, we immediately contacted Symantec and asked them to confirm or deny the existence of the vulnerability. Almost a month has passed since and we haven’t heard back from them, although they promised they would look into it.
Now, we have reached out once again to Symantec, trying to find out if the vulnerability published in July is connected to this incident. The details have been available on the Internet for a month and anyone could have used them to access the website.
Update. Symantec representatives have responded to out inquiry. It turns out that the SwapDrive vulnerability discovered and published by the hackers has been addressed back in July, shortly after the company learned of its existence.
This means that the flaw leverage by the attackers in this case is a different one.