米ニューヨーク州の銀行、SCNBがSQLインジェクションで顧客情報漏洩。
8千件以上の顧客情報。credentials、とあるからパスワードのことか。
その情報が平文で保存されていたと指摘されている。
攻撃方法はSQLインジェクションではないかと思われる。
SCNB hit by breach - over 8,000 clear text credentials stolen - Security
According to Amichai Shulman, Imperva's CTO, what is amazing about the case is not just the fact that the bank has taken until earlier this week to reveal that around 10 percent of its customers' credentials were compromised, but that the data was stored as plain text."What I find astonishing about this hack is that you would think that a banking application would undergo much more stress testing than most and, as a result, the storage of user credentials in plain text would have been spotted and remediated early on in the system development process," Shulman said.
"Although the full modus operandi for this banking hack has yet to be revealed, but given that the server was accessed and 8,378 credentials were stolen, I would assume the attacker gained access using an SQL injection approach," he added.
Leave a comment