SQLi Hall-of-Shame

statue covering face in front of old broken brick wallWelcome to the SQL Injection Hall-of-Shame
In this day and age it’s ridiculous how frequently large organizations are falling prey to SQL Injection (SQLi) which is almost totally preventable as I’ve tell people all the time as part of my day job at Parasoft and written previously.

Note that this is a work in progress. If I’ve missed something you’re aware of please let me know in the comments at the bottom of the page or on Twitter.

Don’t let this happen to you! For some simple tips see the OWASP SQL Injection Prevention Cheat Sheet. For more security info check out the security resources page and the book SQL Injection Attacks and Defense or Basics of SQL injection Analysis, Detection and Prevention: Web Security for more info.

Ovidentia 2019-07content manager vulnerable in version 8.4.3CVE-2019-13978 Detail
India government bus booking site2019-07complete database exposedUP govt bus booking site compromised customer data of lakhs of passengers
Video service providers using Ministra platform2019-06possible exposure of user financial dataStreaming VIdeo Fans Open to TV Hijacking
Medical Informatics Engineering2019-063.5 million patient records exposedEMR Company Suffers Double Whammy after HIPAA Breach
C-Trade2019-0516 databases exposedC-Grade the Share Trading Platform and other associated sites were hacked
Amadeus IT Group2019-05Exposed data on 700,000 visa applications of Israeli citizens.Hacker Reveals Breach Exposing Flight Histories of Netanyahu Family, Other Israeli Officials
Orpak SiteOmat2019-05Widely used gas station software vulnerable to SQLi - unknown number of affected users.CERT CISA advisory ICSA-19-122-01 Orpak SiteOmat
IBM BigFix WebUI2019-04Backend database could be modified. Patch available. IBM BigFix WebUI Profile Management 6 and Software Distribution 23 is vulnerable to SQL injection
Oracle2019-04Multiple CVEs patchedApril’s Oracle CPU Fixes Critical Bugs Reported by Onapsis
Georgia Tech University2019-04personal info exposed for up to 1.3 million people.Georgia Tech Breach Strikes Possible 1.3 Million
Yellow Pencil WordPress plugin2019-0430,000+ sites vulnerable to SQL injectionThousands of WordPress Sites Exposed by Yellow Pencil Plugin Flaw
Advanced Contact Form 7 DB WordPress plugin2019-0440,000+ sites using plugin are vulnerable to SQLiSQL Injection in Advance Contact Form 7 DB
Google Maps WordPress Plugin2019-04over 400,000 sites vulnerable to attackWP Google Maps Plugin Vulnerable to SQL Injection Exploit
Nagios XI API2019-04Systems using Nagios XI API vulnerableNagios XI API SQL Injection Vulnerability (CVE-2019-9165)
Duplicate-Page Wordpress Plugin2019-04800,000 sites exposed to vulnerabilitySQL Injection in Duplicate-Page WordPress Plugin
Magento2019-03300,000 e-commerce sites exposed to SQL injectionCritical flaw in Magento e-commerce platform exposes 300,000 e-commerce sites to SQL injection
HACCAP Brazil2019-03leaked personal data about staff membersHazard Analysis and Critical Control Points / Analise de Perigos Hacked by Mr Joker aka Error Toxic
Kaseya 2019-02plugin for ConnectWise Manage software vulnerable - used by at least 126 IT support firms.GandCrab ransomware gang infects customers of remote IT support firms
coturn TURN2019-02vulnerability could allow access to admin portal. Patched.coturn TURN Administrator Web Portal SQL Injection Vulnerability
Maph Editora2019-02email address and passwords leaked for 138 customersMAPH EDITORA - INFORMACOES TRABALHISTAS E TRIBUTARIAS Hacked by Darkness Ghost
phpMyAdmin2019-01vulnerability for remote attack - now patched.phpMyAdmin Designer Feature SQL Injection Vulnerability
Epic Games2019-01All Fortnite player accounts accessible, exposing credit card info etc.Bugs on Epic Games Site Allowed Hackers to Login to Any Fortnite Players Account
Lenovo2019-01+1 million users compromisedLenovo Website Servers Haxxed - Data of +1 Million Users Compromised by New World Hackers
Texas.gov and Florida.gov2018-12state databases of contractors and employees leaked.Texas.gov and Florida.gov hacked by New World Hackers - Access to Various Databases Leaked Online
EVLink electric car charging stations2018-12Full privilege access available to the web interfaceSchneider Electrics EVLink Charging Station Vulnerable to Attackers
Atlanta International Airport2018-12Data leak including over 700 passportsAtlanta International Airport Hacked 617.57 KB of Data Including +700 Passports Leaked Online
Cisco2018-12vulnerability in Prime License Manager - now patchedCisco patches Prime License Manager SQL injection vulnerability
Steam2018-11API vulnerability gave access to CD keys for any game. Now patched.Steam bug could have given you access to all the CD keys of any game
PostgreSQL2018-11SQL vulnerability when running as super-user. Now patched as of v11.1PostgreSQL 11.1 Released To Address The Latest Open-Source Security Vulnerability
ServersCheck 2018-10monitoring software open to SQL injection - fixed in v14.3.4 CVE-2018-18550ServersCheck Monitoring Software SQL Injection Vulnerability
Hetzner - South Africa web host provider2018-10private customer data exposed in 2nd breach in less than a yearWeb Hosting Provider Have Been Hacked For The Second Time In The Past Year By Hackers
SAP2018-10Vulnerabilities (now fixed) in BusinessObjectsSAP Security Notes August 18
Altima Telecom - Canadian ISP2018-10Customer data potentially exposed - found by researcher.SQL Injection Exposed Data Form Canadian ISP - Altima Telecom
Seagate Personal Cloud Media Server2018-08researched showed ability to extract private data from serverSQL Injection Vulnerabilities in Seagate Personal Cloud Media Server allow Retrieval of Private Data
Florida Secretary of State web page2018-0811 year old hacker penetrated election reporting system in research forum in 10 minutesHacking the websites responsible for election information is so easy an 11-year-old did it
Battelle V2I (Vehicle-to-Infrastructure) Hub2018-08Researchers found injection and other flaws in smart city software. Smart city hacks could turn criminals into supervillains
OpenEMR healthcare software2018-08Multiple products riddled with vulnerabilities including SQL injection - found by researchersOver 20 Flaws Discovered in Popular Healthcare Software
Indian Railways2018-05non-sensitive data exposedFrench researchers highlight security flaws in Indian Railways portals
Shamshabad engineering college2018-05students changed official examination resultsEngineering students hack college website
IIT-Delhi2018-03potential access to student dataKerala youth picks security flaw in IIT-Delhis web server
BSNL2018-0347,000 employees data taken by hacker to prove problem. Second time for this site in 2 years. Fixed.Security researcher hacks BSNL intranet, leaks details of 47,000 employees
Telangana NREGA portal (India)2018-02hack exposed data to show security flawHacker exposes major security flaw in Telangana governments NREGA website
Joomla2018-02Joomla CMS sqli bugs (patch available)Joomla 3.2.4 release addresses three XSS and SLI Injection vulnerabilities
Zoho2018-01Helpdesk software vulnerable to blind SQLiMultiple critical flaws found in Zoho MANAGEENGINE
Hetzner South Africa2017-11Over 40,000 customer details including bank accounts leaked.Hetzner hack - top south african web host hit
Wordpress2017-10SQLi vulnerability in plugins - patched in v4.8.3If your websites use WordPress, put down that coffee and upgrade to 4.8.3
GoDaddy2017-10Researcher showed site security tool is easily bypassed to allow sqliThis bug let a researcher bypass GoDaddy's site security tool
Inmarsat2017-10AmosConnect satellite communications for ships is vulnerable.mosConnect: Maritime Communications Security Has Its Flaws
Equifax2017-10 (long term)Personal data for over 145 million people compromisedEquifax was warned
Jigsaw Holding in South Africa2017-1075m database records available for downloadRevealedthe real source of SAs massive data breach
Catholic United Financial2017-10personal info for over 130k users.Data breach at Arden Hills-based Catholic financial services provider affects nearly 130k accounts
BPC Banking - SmartVista software2017-10numerous vulnerable ecommerce sitesVendor BCP Baking Silent on Patching SQL Injection in SmartVista Ecommerce Software
EMC2017-07multiple vulnerabilities found, some fixed.EMC products hit by multiple vulnerabilities including SQL injection
Wordpress Statistics plugin2017-07vulnerability in wordpress pluginSQL injection vulnerability found in popular WordPress plugin, again
Siemens2017-06vulnerability in AMT industrial products patched after CERT warningSiemens patches critical Intel AMT flaw in industrial products
Illinois State Board of Elections2017-06voter registration system breached - reported in 2017-06 but occurred in 2016Illinois chapter in the Russian hacking saga
Peplink2017-06vulnerable routers - now patchedPeplink patches SD-WAN routers
Joomla CMS web application2017-05sites exposed to execution of custom sql codeNew Joomla SQL Injection Flaw is Ridiculously Simple to Exploit
Construction Materials Online2017-05Company fined for exposing customer payment detailsOnline building products supplier fined L55,000 after SQL injection attack exposed payment details
GangWeb2017-04patient prescription data exposedActivist: SQL injection exposing citizens prescriptions
Yeogi-Eoddae2017-034,000 users got odd text messages, some obscene.Chinese hackers suspected of targeting individual Koreans in THAAD retaliation
Moodle2017-03Tens of thousands of universities have vulnerabilityCritical Moodle Vulnerability Could Lead To Server Compromise
NextGEN Gallery2017-02Vulnerability in WordPress plugin that has been downloaded over 16 million times.Critical SQL Injection vulnerability foundin NextGEN gallery WordPress plugin
Airsoft GI2017-0265,000 user accounts leakedGun Retailer Airsoft GIs Forum Hacked - 65,000 User Accounts Leaked
Teton County Idaho website2017-02Replaced home pageTurkish hacker takes down Teton county website
Universities and Gov via Rasputin2017-02Over 60 sites hacked by Hacker RasputinHacker Rasputin Breaches over 60 Universities and Government Agencies
McAfee2017-02ePolicy Orchestrator (ePO) admin console vulnerable - patchedDangerous hole found in McAfee ePO antivirus central management suite
Wordpress CMS2017-01vulnerability patchedWordpress 4.7.1 update fixes XSS, SQL injection bugs
India BHIM mobile money app2017-01security flaws discoveredBHIM may expose you to data theft
Giulianisecurity.com2017-01vulnerabilities found, site currently offline nowTrumps cyber-guru Giuliana runs ancient easily hackable website
Russia Visa Center2016-12vulnerability provenTwitter User Claims Russia Visa Center Hack
National Assembly of Ecuador2016-12930 user records stolenNational Assembly of Ecuador breached and data lead via PasteBin
Russian Embassy in Armenia2016-12Admin credentials leaked, member credentials not leaked.Black hat hacker broke into the database of Russian Embassy of Armenia
Slovak Chamber of Commerce and Industry scci.sk2016-128,000 users details including phone, name, password, email addressSlovak Chamber of Commerce and Industry Hacked
US Election Commission2016-12Voting machine vulnerabilitiesResearchers Find Russian Hacker Selling Access to U.S. Election Assistance Commission
McAfee enterprise software console2016-12Systems running McAfee security software were vulnerableSecurity flaw in McAfee enterprise software gives attackers root access
Belkin Home automation IoT devices2016-11home devices vulnerableSQLi, XSS zero-days expose Belkin IoT devices, Android smartphones
Hungarian Human Rights Foundation2016-1120,000 accounts personal information including phone numbers and home addressesHuman Rights Foundation Website Hacked, Thousands of Accounts Exposed
Eastern Indian Regional Council Server2016-1117,000+ student dataKapustkiy Breaks into Indian Regional Council Server, 17,000 Users Exposed
Italy Dipartimento della Funzione Pubblica2016-1145,000+ users data leaked including logins.Hacker Breaks into Italian Government Website, 45,000 Users Exposed
Indian Embassy websites2016-11database info posted onlineIndian Embassy Hacks: We are a Joke of Global Hackers Community
WeMo2016-11Android phones exploited via app for smart switches and smart lightbulbsWeMo IoT Vulnerability Lets Attackers Run Code on Android Phone
Various network management systems NMS2016-09various network management systems vulnerable: Spiceworks, Ipswitch,Castle Rock, ManageEngine, CloudView, Opmantek, Opsview, Netikus, OpmantekHalf of network management systems vulnerable to injection attacks
Cisco email security appliances2016-09appliances running IronPort AsyncOS vulnerable to sql injection allowing root-level accessCisco Warns of Critical Flaw in Email Security Appliances
i-Dressup teen social site2016-09up to 5.5 million passwords leaked in plain text.Teen social site is leaking millions of plaintext passwords
US government servers in the .us top-level domain.2016-09usernames and passwords for "every FTP server on a .us domain"Fear hacker claims he hit hundreds of government servers
MySQL2016-09unpatched vulnerability allows injection attackCritical Mysql Vulnerability Disclosed
Bitcoin2016-08Hacker shows you can steal bitcoin with sqliHow I hacked hundreds of Bitcoins
Arizona voter database2016-08data for 200,000 voters stolenHack that targeted Arizona voter database was easy to prevent
GTA Fan Forum2016-08email addresses, passwords and other profile data for 197,000 users.GTAGaming Hack Blamed on old Vbulletin Software
vBulletin on 11 websites2016-08personal information for 27 million accounts from 11 websitesHackers exploit vBulletin flaw to access 27M accounts on 11 websites
CodeIgniter2016-08Vulnerability in PHP framework - unknown breaches.Future Hosting Advises Users of the CodeIgniter Framework to Update
ReadyDesk2016-08vulnerability found in help desk application used by more than 400,000 people.CERT warns of vulnerabilities in ReadyDesk
Epic Games2016-0880,000 users accounts from online forumsEpic Games Forums Hacked
Navis port software at various ports2016-08Various port authorities around the world had possible data loss.Attackers Exploit Flaw in Software Used by US Ports
WordPress Ninja Forms plugin2016-08vulnerability on 600,000 sitesWordPress Plugin Fixes SQL Injection Flaw That Let Attackers Dump Site Passwords
World Anti-Doping Agency2016-08412MB of data including 3,121 email accounts and passwordsWorld Anti-Doping Agency Hacked - Thousands of Accounts Leaked
DOTA 2 Forum2016-081.9 million user records exposedThe DOTA 2 Forum was hacked in July and we are just now hearing about it
Oracle eBusiness Suite 11i2016-08many vulnerabilities reported at BlackHat conventionOracle ebusiness suite massive attack surface assessed
Illinois State Board of Elections2016-07voter records accessedForeign hack attack on state voter registration site
Wordpress video plugin2016-07Vulnerability to get admin password shownWordPress admin? Thinking of spending time with the family? Think again
Ubuntu Linux2016-07username, email and IP address for 2,000,000 people.The Hacking of Ubuntu Linux Forums - Lessons Learned
Armscor2016-0764MB leaked to Dark Web by AnonymousAnonymous Hacks Armscor Website with Simple SQL Injection
Muslim Match - dating website2016-07user credentials and profiles for 150,000 subscribers leaked.Dating website Muslim Match hacked, user info exposed
Riverbed Network Appliance2016-06Vulnerabilities found and patched - exploits unknown.Riverbeds Netprofiler, NetExpress virtual appliances patched
University of Greenwich2016-062.7GB of confidential student and staff dataUniversity of Greenwich Breach Suffers Second Data Breach
Oracle eBusiness Suite2016-0650 vulnerabilities in eBusiness suiteOracle eBusiness Suite has huge massive, ginormous pwn surface
LG Smartphones2016-05Hackers can modify texts on many LG smarthponesFlaw Allows Hackers to Modify Texts on LG Smartphones
Drupal sites2016-05ransomware installedCrooks Used SQL Injections to Hack Drupal Sites and Install Fake Ransomware
Mr Robot TV show website2016-05Potential exposure of user dataHackers find flaws in Mr Robot website
Commercial Bank of Ceylon2016-05Corporate website data exposedCommercial Bank of Ceylon website hacked
Country Liberal political party website2016-05credit card details and personal info for 117 membersHacker convicted for infiltration Country Liberals website
Rosebutt Board fetish porn site2016-05usernames and email addresses of usersHardcore pwn: Fetish forum data breached
Florida Elections sites2016-05Usernames and passwords takenCriminal charges filed in hacking of Florida elections websites
Instagram2016-05Comments deletedFacebook Rewards Instagram User 000: Finnish Boy Found Error That Allowed Him To Delete Comments
InnerChef2016-04Leaked user dataPartial User Data of Food Delivery Service InnerChef Leaked by Purported Hackers
Qatar National Bank2016-04Sensitive financial information leakedQatar National Bank leak: Security experts hint 'SQL injection' used in database hack
Facebook2016-04Employee password vulnerability discovered by researcherResearcher finds backdoor that accessed Facebook employee passwords
Comelec - Phillipines Comission on Elections2016-04Data on 55 million votersIntl web security expert slams Comelec for slow acknowledgment of data hack
Mossack Fonseca (Panama Papers)2016-0411.5 million files - 2.6 TB of dataSQL injection vuln found at Panama Papers firm Mossack Fonseca
Team Skeet (adult web sites)2016-04237,000 user data stolen including plain text passwordsSQL Injection Allowed Hacker to Steal Data of 237,000 Users from Adult Site
Symantec 2016-03Security console vulnerableSymantec calls vulnerability warning a routine advisory
Staminus2016-0350GB of data published on the webSecurity firm responsible for anti-DDoS protection still recovering from last weeks incident
Time Warner Cable2016-034,191 usernames, email and encrypted passwordsTeaMp0isoN Hacks Time Warner Cable Business Website, Dumps Customer Data
UN Tourism website2016-021,300 usernames, emails, and MD-5 hashed passwordsUN tourism website breached and defaced by TeamPoison hacking collective
DoD Defense Contract Management Agency2016-01Researcher discovered vulnerabilityResearcher Finds Several ‘Serious’ Vulnerabilities in US Military Websites
Various websites that use Microsoft MS-SQL2016-01Search Engine (SEO) results manipulatedSQL injection used to manipulate search engine results
Faithless (band)2016-0120,000 fans had their personal details stolen.Faithless Fans Suffer Data Breach thanks to SQLi Flaw
Network Management System Products2015-12various network products from various manufacturers are vulnerable and can disclose data about the internal infrastructure.SQL Injection, XSS Flaws Found In Network Management System Products
UN Climate Change Summit website2015-11leaded data with usernames passwords, email, etc.Anonymous Hacks UN Climate Change Summit Website to Protest French Police Brutality
VTech2015-11Info on 4.8 million people who bought kids toys. Names, email, home address, passwords, etc.One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids
TalkTalk2015-10Info on 4 million customers including personal details, passwords, credit card numbers#TalkTalk: SQL Injection Possible Vector for ISP Breach
Joomla Sites2015-10Various attackers against various Joomla sites exploiting recently published sql injection vulnerability.Attackers Targeting Unpatched Joomla Sites Through SQL Injection Vulnerability - See more at: https://threatpost.com/attackers-targeting-unpatched-joomla-sites-through-sql-injection-vulnerability/115179/
MySQL servers2015-10Chikdos trojan infection of MySQL servers as prequel to possible DDoS attacksMySQL database servers hit by SQL injection exploit – widespread DDoS risk could follow
Patreon2015-1015GB of user data including encrypted passwords, donation records and source code.Gigabytes of user data from hack of Patreon donations site dumped online
Planned Parenthood2015-07multiple databases downloadedPlanned Parenthood Reports Hack Attack
Smart home hubs2015-07smart-home hubs tested and found open to sqliHubs Driving Smart Homes Are Vulnerable, Security Firm Finds
Gaana Music Service2015-05User data exposed for 12.5 million users.Indian music streaming service Gaana hacked, millions of users details exposed
Telstra corporate network2015-05corporate network accessedUnknown attackers used SQL injection to gain access to corporate network
World Trade Organization2015-05Personal data on 53,000 peopleAnonymous Hacker breached WTO database and Leaked data of internal staff
Magento e-commerce software2015-0498,000 online merchants at riskPotent, in-the-wild exploits imperial customers of 100,000 e-commerce sites
Mapp.nl2015-04157,000 email addresses and passwordsHackers Steal Data from MAPP.NL Clients
SAP2015-04flaw in medical app allows access to medical records database. Researchers found SQL injection flaw in SAP medical app, allow other apps to get access to EMR Unwired database
University of Sydney2015-02Personal details of 5,000 students16-year-old claims to be behind USyd data breach
Boomerang Video2015-01personal details lead for 26,000 usersPwned UK SME fined L60K for leaving itself vulnerable to hack attack
Banque Cantonale De Geneve BCGE2015-0130,000 private emails takenRex Mundi Hackers Blackmail Swiss Bank
Archos2014-12Personal data for 100,000 peopleUp to 100K Archos customers compromised by SQL injection attack
Aussie Travel Cover2014-12Personal data for approx 800,000 people leakedPrivate details leaked after travel insurance company hacked
Indiana Dept of Education2014-11Drupal SQL injection used to deface siteMistaken identity: Indiana Dept. of Education hacked a second time
Drupal2014-10Drupal v7 based websites vulnerable to attackSQL injection flaw opens Drupal sites to attack
Wordpress security plugin2014-09Potentially 400,000 installations. No breach reported yet.Researchers discover two SQL injection flaws in WordPress security plugin
Over 400,000 websites2014 botnet using SQL injection to pull data from sites both large and smallRussian Hackers and What it Means for Your Website
Wall Street Journal2014-08SQL injection exposed databaseSQL injection flaw in Wall Street Journal database lead to breach
Wall Street Journal2014-07database with unknown content stolen.SQL injection flaw in Wall Street Journal database led to breach
ZOPH web photo album2014-05unknown if exploit has been used.XSS / SQL injection vulnerability in Zoph
Tesla2014-03Research accessed customer records and administrative areas of siteResearcher finds SQL injection vulnerability on Tesla website
Johns Hopkins University2014-03Data published on 878 students from biomedical engineering serversHacker breaches Hopkins server, but officials say identity theft not a concern
Tesla2014-02White hat discoveredTesla Motors blind SQL injection
Chinese Chamber of Commerce2013-11names and contact info of public officials publishedHackers leak data from Chinese of Chamber of Commerce website
US Federal (Army, NASA, DOC, ...)2013-11> 100,000 user infoFBI Blames Federal Hacks on Anonymous Campaign
Racing Post2013-10677,000 accounts compromisedRacing Post website SQL injection attack compromises 677K accounts
Marketwired, Business Wire, PR Newswire2013-10$100 million in insider trading over 5 years.How Hackers Made Million by Stealing One News Release
Sebastian ISP / Banks2013-10$100,000 from bank accountsHacker group claims to have looted 0k via SQL injection attack
WHMCS2013-10extract or modify sensitive information in client management, billing and support applicationWeb hosting firms at risk from critical vulnerability in WHMCS billing and support system
Ubuntuforums.org2013-07forum defaced, email addresses and encrypted passwords accessed.Ubuntu forum defaced, breached by hackers PC World
Istanbul administration site2013-06claimed to erase debtsRedHack Breaches Istanbul Administration Site, Hackers Claim to Have Erased Debts
Worldview Ltd2013-06payment card details for 3,800 customersICO issues warning over SQL injection flaws as travel firm fined £7,500
HITRUST2013-05111 records and test dataHITRUST SQL Injection Exposes 111 Records, Test Data
LivingSocial2013-0450 million customers at risk from breach that was probably SQL injection.LivingSocial Says Cyberattack Puts Data Of 50 Million Customers At Risk
Islami Bank Bangladesh2013-01Vulnerability reported by grey hat hackerIslami Bank Bangladesh website hacked by Human Mind Cracker
Credit Populaire d'Algerie (CPA) Bank2013-01reported by grey hat hackerAlgerian Bank CPA hacked by Tunisian Hacker
Central Bank of Tunisia, Bank of Tunisia2012-12reported by grey hat hackerTunisian hacker - Human Mind Cracker - discovered SQLi vulnerability in Tunisian Bank sites
Yahoo2012-12UnknownImperva report examines dangers of third-party code for cloud security
FBI, Nasa2012-121.6 Million email address, passwords, and more.GhostShell claims breach of 1.6M accounts at FBI, NASA, and more
Maldives Health Ministry2012-12database partially publishedMaldives health ministry hacked by group claiming to be anonymous
Adobe2012-11150,000 emails & passwordsDark Reading
53 colleges and universities: Harvard, Stanford, Cornell, Princeton, etc. 2012-1036,000 email addresses, and thousands for usernames, passwords, phone numbers and addresses.Hackers breach 53 universities and dump; thousands for personal records online
US Chamber of Commerce in France2012-09email addresses and passwords disclosedDeletesecs Hack into US Chamber of Commerce Not So Much
Domino's Pizza2012-0937,000 accounts with address, phone, name, email, & passwords in plain textDominos India website hacked, customer info leaked
Bit92012-07Security company became a platform to launch security attacks.Hacking victim Bit9 blames SQL injection flaw
Yahoo2012-07450,000 plain text passwordsYahoo fixes password-pilfering bug, explains who's at risk
LinkedIn2012-066.5 million hashed passwordsLinkedIn hack and lessons for your company Update: LinkedIn Confirms Account Passwords Hacked
Wurm Online2012-05malicious web pages served.Wurm Online restructuring
Ingenicard2012-03 - 2012-12estimated financial fraud losses $9 millionCard Fraud Scheme: The Breached Victims
Gamigo2012-0311 million hashed passwords, 8 million email addressesSQL-Injection (Gamigo, Elite, FanPages) 11 million passwords from hacked game website dumped online
mes-conseils.fr - French web hosting company2011-11large data dumpCommunique sur la fuite de donnees personnelles de lump
Royal Navy website2011-11site compromised Royal Navy website attacked by Romanian hacker
La Poste website (French postal service)2011-09Vulnerability publishedLa Poste FR Website SQL Injection
Nokia2011-08unknown number of forum users credentialsHackers breach Nokia developer community
Sony Pictures2011-061 million user credentialsNew Sony Hack Claims Over a Million User Passwords
Diners Club Singapore2011-06500,000 Diners card numbers stolen estimated loss $312,000Card Fraud Scheme: The Breached Victims
PBS2011-06site content altered.PBS Breached: How Hackers Probably Did It
Citigroup2011-06personal details on more than 200,000 customers.Revealed: How Citigroup hakers broke in through the front door using banks website
Sony Music2011-05"relatively small"Sony Music Japan hacked through SQL injection flaw
Broadband Networks2011-04over 90,000 usernames and passwordsBroadband DSLReports.com
Barracude Networks site2011-04names and contact informationHackers disclose SQL injection of Barracuda website
Sony Playstation Network2011-047+ million user personal detailsHow the PlayStation Network was Hacked
MySQL.com2011-03unknown quantity of user credentialsMySQL Website Falls Victim to SQL Injection Attack
Visa Jordan2011-02 - 2011-03800,000 card numbers exposedCard Fraud Scheme: The Breached Victims
eHarmony ancillary site2011-02user names, email addresses and hashed passwordsSome eHarmony user information stolen
HBGary Federal2011-02site compromised, emails and credit card numbers taken.With arrests HBGary hack saga finally ends
Global Payments2011-01 - 2012-03950,000 card numbers stolen estimated loss $92.7 millionCard Fraud Scheme: The Breached Victims
Twin America LLC d.b.a City Sights NY2010-12cardholder information for 111,000 credit cardsSQL Injection Blamed for New Breach
Swedish Election Authority2010-09attempts to manipulate election dataDid Little Bobby Tables migrate to Sweden
Neo Beat2010-0812,000 credit card dataHackers steal customer data by accessing supermarket database
Euronet2010-07 - 2011-102 million card numbers compromisedCard Fraud Scheme: The Breached Victims
Pirate Bay2010-074 million names, email addresses and IP addressesPirate Bay Hack Exposes User Booty
RockYou2009-12account data for 32 million people (stored in plain text)RockYou Hacker: 30% of Sites Store Plain Text Passwords
WordPress sites2009-09large quantity of hacked sites using WordPress software and MySQLWordPress SQL Injection – Latest Attack
RideMatch2009-09sensitive details of military personnelWebsite exposes sensitive details on military personnel
Army Servers2009-05army servers penetrated, web site defacedAnti-U.S. Hackers Infiltrate Army Servers
Various web sites in China and Taiwan2008-05implanted malwareMass SQL Injection Attack Targets Chinese Web Sites
Kapersky Malaysian web site2008-07site defacedKapersky's Malaysian site hacked by Turkish hacker
Oklahoma Dept of Corrections2008-04sensitive data leaked including 10k+ social security numbers and sex offender dataOklahoma leaks tens of thousands of social security numbers, other sensitive data
United Nations, UK, US government web sites2008-04sql server exploit to infect systemsMass Attack FAQ
Dexia Bank2008-02 - 2009-02malware exposing credit cards resulting in $1.7 million lossCard Fraud Scheme: The Breached Victims
Wet Seal2008-01unspecified number of card details exposedCard Fraud Scheme: The Breached Victims
Heartland Payment Systems2007-12130 million card numbers stolen estimated loss $200 millionCard Fraud Scheme: The Breached Victims
Hannaford2007-114.2 million card numbers stolenCard Fraud Scheme: The Breached Victims
JC Penney2007-10undetermined amount of card dataCard Fraud Scheme: The Breached Victims
Microsoft UK2007-06web page defacedHacker defaces Microsoft UK web page
NASDAQ2007-05login credentials stolenCard Fraud Scheme: The Breached Victims
7-Eleven2007malware install that stole payment card numbersCard Fraud Scheme: The Breached Victims
Incredibleindia.org2006-03unknown use of known exploitSQL Injection in incredibleindia.org
Rhode Island government web site2006-0353,000 credit card numbersRussian hackers broke into a RI GOV website
Information Security Magazine2006-01customer and member information stolenTeenage hacker facing court case for data theft
Guess2002-03leaking credit card numbersGuesswork Plagues Web Hole Reporting

35 comments to “SQLi Hall-of-Shame”
  1. Pingback: SQL Injection Hall of Shame updated - The Code Curmudgeon

  2. Pingback: SQL Injection is So "2000-and-Late" - The Code Curmudgeon

  3. Pingback: Episode 4 – OWASP and You!

  4. Pingback: Estándares de configuración segura (hardening) en PCI DSS - PCI HispanoPCI Hispano

  5. Pingback: 5 Website Security Checks: Are you at risk? - Server Density Blog

  6. Pingback: Die 10 katastrophalsten Sicherheitslücken – Teil 1 › PSW GROUP Blog

  7. Pingback: SQL Injection Hall-Of-Shame / Internet-of-Things Hall-Of-Shame « Another Word For It

  8. Pingback: Les injections SQL | securitywatchblog

  9. Pingback: Five Reasons Why You Should Care About Application Security | AppSecure Labs

  10. Pingback: Securing the SDLC – InfoSec News

  11. Pingback: SQL Injection - A Pain That's Not Going Anywhere - The New Developer

  12. Pingback: Blog do Laboratório de Investigação » Blog Archive » Veja as principais ameaças para as startups

  13. Pingback: Website Security | Frank DeCaire

  14. Pingback: Russian hacker Rasputin breaches over 60 Universities and Government Agencies – sec.uno

  15. Pingback: Russian hacker Rasputin breaches over 60 Universities and Government Agencies – Jighi Blog

  16. Pingback: Block SQL injections, not your customers - Sqreen Blog | Application Security For Developers

  17. Pingback: Russian-Speaking Hacker Sells SQLi for Unauthorized Access to Over 60 Universities and Government Agencies ~ CrackWare

  18. Pingback: A Closer Look: OWASP Top 10 Application Security Risks

  19. Pingback: The OWASP Top 10 is killing me, and killing you! | HPE – Startupon.net

  20. Pingback: The OWASP Top 10 is killing me – L Technology Group

  21. Pingback: A Closer Look: OWASP Top 10 2017 – Application Security Risks – Devasted Blog

  22. Pingback: A Closer Look: OWASP Top 10 2017 – Application Security Risks - Security Boulevard

  23. Pingback: SQL Injection Protection in Cloud Systems

  24. Pingback: A Panoply of SQL Injection Horrors | Mitigated Frenzy

  25. Pingback: Checkmarx Understanding Application Security Vulnerabilities: Part One - Checkmarx.com

  26. Pingback: Understanding Application Security Vulnerabilities: Part One

  27. Pingback: SQL injection and CFML 101 – Marcus Fernstrom

  28. Pingback: Why is my stored proc slow in .Net? | esotechnica

  29. Pingback: Understanding Application Security Vulnerabilities: Part One

  30. Pingback: Not Entirely Parameterized Dynamic SQL – Erik Darling Data

  31. Pingback: SQL injection - SQL Server Fast

  32. Pingback: 每周分享第 43 期

Leave a Reply