SQLi Hall-of-Shame

Welcome to the SQL Injection Hall-of-Shame

statue with face covered
Shame © by Ranger78
In this day and age it’s ridiculous how frequently large organizations are falling prey to SQL Injection (SQLi) which is almost totally preventable as I’ve tell people all the time as part of my day job at Parasoft and written previously.

Note that this is a work in progress. If I’ve missed something you’re aware of please let me know in the comments at the bottom of the page or on Twitter.

Don’t let this happen to you! For some simple tips see the OWASP SQL Injection Prevention Cheat Sheet. For more security info check out the security resources page and the book SQL Injection Attacks and Defense or Basics of SQL injection Analysis, Detection and Prevention: Web Security for more info.

CompanyDateResultsReference
Joomla CMS web application2017-05sites exposed to execution of custom sql codeNew Joomla SQL Injection Flaw is Ridiculously Simple to Exploit
Construction Materials Online2017-05Company fined for exposing customer payment detailsOnline building products supplier fined L55,000 after SQL injection attack exposed payment details
GangWeb2017-04patient prescription data exposedActivist: SQL injection exposing citizens prescriptions
Yeogi-Eoddae2017-034,000 users got odd text messages, some obscene.Chinese hackers suspected of targeting individual Koreans in THAAD retaliation
Moodle2017-03Tens of thousands of universities have vulnerabilityCritical Moodle Vulnerability Could Lead To Server Compromise
NextGEN Gallery2017-02Vulnerability in WordPress plugin that has been downloaded over 16 million times.Critical SQL Injection vulnerability foundin NextGEN gallery WordPress plugin
Airsoft GI2017-0265,000 user accounts leakedGun Retailer Airsoft GIs Forum Hacked - 65,000 User Accounts Leaked
Teton County Idaho website2017-02Replaced home pageTurkish hacker takes down Teton county website
Universities and Gov via Rasputin2017-02Over 60 sites hacked by Hacker RasputinHacker Rasputin Breaches over 60 Universities and Government Agencies
McAfee2017-02ePolicy Orchestrator (ePO) admin console vulnerable - patchedDangerous hole found in McAfee ePO antivirus central management suite
Wordpress CMS2017-01vulnerability patchedWordpress 4.7.1 update fixes XSS, SQL injection bugs
India BHIM mobile money app2017-01security flaws discoveredBHIM may expose you to data theft
Giulianisecurity.com2017-01vulnerabilities found, site currently offline nowTrumps cyber-guru Giuliana runs ancient easily hackable website
Russia Visa Center2016-12vulnerability provenTwitter User Claims Russia Visa Center Hack
National Assembly of Ecuador2016-12930 user records stolenNational Assembly of Ecuador breached and data lead via PasteBin
Russian Embassy in Armenia2016-12Admin credentials leaked, member credentials not leaked.Black hat hacker broke into the database of Russian Embassy of Armenia
Slovak Chamber of Commerce and Industry scci.sk2016-128,000 users details including phone, name, password, email addressSlovak Chamber of Commerce and Industry Hacked
US Election Commission2016-12Voting machine vulnerabilitiesResearchers Find Russian Hacker Selling Access to U.S. Election Assistance Commission
McAfee enterprise software console2016-12Systems running McAfee security software were vulnerableSecurity flaw in McAfee enterprise software gives attackers root access
Belkin Home automation IoT devices2016-11home devices vulnerableSQLi, XSS zero-days expose Belkin IoT devices, Android smartphones
Hungarian Human Rights Foundation2016-1120,000 accounts personal information including phone numbers and home addressesHuman Rights Foundation Website Hacked, Thousands of Accounts Exposed
Eastern Indian Regional Council Server2016-1117,000+ student dataKapustkiy Breaks into Indian Regional Council Server, 17,000 Users Exposed
Italy Dipartimento della Funzione Pubblica2016-1145,000+ users data leaked including logins.Hacker Breaks into Italian Government Website, 45,000 Users Exposed
Indian Embassy websites2016-11database info posted onlineIndian Embassy Hacks: We are a Joke of Global Hackers Community
WeMo2016-11Android phones exploited via app for smart switches and smart lightbulbsWeMo IoT Vulnerability Lets Attackers Run Code on Android Phone
Various network management systems NMS2016-09various network management systems vulnerable: Spiceworks, Ipswitch,Castle Rock, ManageEngine, CloudView, Opmantek, Opsview, Netikus, OpmantekHalf of network management systems vulnerable to injection attacks
Cisco email security appliances2016-09appliances running IronPort AsyncOS vulnerable to sql injection allowing root-level accessCisco Warns of Critical Flaw in Email Security Appliances
i-Dressup teen social site2016-09up to 5.5 million passwords leaked in plain text.Teen social site is leaking millions of plaintext passwords
US government servers in the .us top-level domain.2016-09usernames and passwords for "every FTP server on a .us domain"Fear hacker claims he hit hundreds of government servers
MySQL2016-09unpatched vulnerability allows injection attackCritical Mysql Vulnerability Disclosed
Arizona voter database2016-08data for 200,000 voters stolenHack that targeted Arizona voter database was easy to prevent
GTA Fan Forum2016-08email addresses, passwords and other profile data for 197,000 users.GTAGaming Hack Blamed on old Vbulletin Software
vBulletin on 11 websites2016-08personal information for 27 million accounts from 11 websitesHackers exploit vBulletin flaw to access 27M accounts on 11 websites
CodeIgniter2016-08Vulnerability in PHP framework - unknown breaches.Future Hosting Advises Users of the CodeIgniter Framework to Update
ReadyDesk2016-08vulnerability found in help desk application used by more than 400,000 people.CERT warns of vulnerabilities in ReadyDesk
Epic Games2016-0880,000 users accounts from online forumsEpic Games Forums Hacked
Navis port software at various ports2016-08Various port authorities around the world had possible data loss.Attackers Exploit Flaw in Software Used by US Ports
WordPress Ninja Forms plugin2016-08vulnerability on 600,000 sitesWordPress Plugin Fixes SQL Injection Flaw That Let Attackers Dump Site Passwords
World Anti-Doping Agency2016-08412MB of data including 3,121 email accounts and passwordsWorld Anti-Doping Agency Hacked - Thousands of Accounts Leaked
DOTA 2 Forum2016-081.9 million user records exposedThe DOTA 2 Forum was hacked in July and we are just now hearing about it
Oracle eBusiness Suite 11i2016-08many vulnerabilities reported at BlackHat conventionOracle ebusiness suite massive attack surface assessed
Illinois State Board of Elections2016-07voter records accessedForeign hack attack on state voter registration site
Wordpress video plugin2016-07Vulnerability to get admin password shownWordPress admin? Thinking of spending time with the family? Think again
Ubuntu Linux2016-07username, email and IP address for 2,000,000 people.The Hacking of Ubuntu Linux Forums - Lessons Learned
Armscor2016-0764MB leaked to Dark Web by AnonymousAnonymous Hacks Armscor Website with Simple SQL Injection
Muslim Match - dating website2016-07user credentials and profiles for 150,000 subscribers leaked.Dating website Muslim Match hacked, user info exposed
Riverbed Network Appliance2016-06Vulnerabilities found and patched - exploits unknown.Riverbeds Netprofiler, NetExpress virtual appliances patched
University of Greenwich2016-062.7GB of confidential student and staff dataUniversity of Greenwich Breach Suffers Second Data Breach
Oracle eBusiness Suite2016-0650 vulnerabilities in eBusiness suiteOracle eBusiness Suite has huge massive, ginormous pwn surface
LG Smartphones2016-05Hackers can modify texts on many LG smarthponesFlaw Allows Hackers to Modify Texts on LG Smartphones
Drupal sites2016-05ransomware installedCrooks Used SQL Injections to Hack Drupal Sites and Install Fake Ransomware
Mr Robot TV show website2016-05Potential exposure of user dataHackers find flaws in Mr Robot website
Commercial Bank of Ceylon2016-05Corporate website data exposedCommercial Bank of Ceylon website hacked
Country Liberal political party website2016-05credit card details and personal info for 117 membersHacker convicted for infiltration Country Liberals website
Rosebutt Board fetish porn site2016-05usernames and email addresses of usersHardcore pwn: Fetish forum data breached
Florida Elections sites2016-05Usernames and passwords takenCriminal charges filed in hacking of Florida elections websites
Instagram2016-05Comments deletedFacebook Rewards Instagram User 000: Finnish Boy Found Error That Allowed Him To Delete Comments
InnerChef2016-04Leaked user dataPartial User Data of Food Delivery Service InnerChef Leaked by Purported Hackers
Qatar National Bank2016-04Sensitive financial information leakedQatar National Bank leak: Security experts hint 'SQL injection' used in database hack
Facebook2016-04Employee password vulnerability discovered by researcherResearcher finds backdoor that accessed Facebook employee passwords
Comelec - Phillipines Comission on Elections2016-04Data on 55 million votersIntl web security expert slams Comelec for slow acknowledgment of data hack
Mossack Fonseca (Panama Papers)2016-0411.5 million files - 2.6 TB of dataSQL injection vuln found at Panama Papers firm Mossack Fonseca
Team Skeet (adult web sites)2016-04237,000 user data stolen including plain text passwordsSQL Injection Allowed Hacker to Steal Data of 237,000 Users from Adult Site
Symantec 2016-03Security console vulnerableSymantec calls vulnerability warning a routine advisory
Staminus2016-0350GB of data published on the webSecurity firm responsible for anti-DDoS protection still recovering from last weeks incident
Time Warner Cable2016-034,191 usernames, email and encrypted passwordsTeaMp0isoN Hacks Time Warner Cable Business Website, Dumps Customer Data
UN Tourism website2016-021,300 usernames, emails, and MD-5 hashed passwordsUN tourism website breached and defaced by TeamPoison hacking collective
DoD Defense Contract Management Agency2016-01Researcher discovered vulnerabilityResearcher Finds Several ‘Serious’ Vulnerabilities in US Military Websites
Various websites that use Microsoft MS-SQL2016-01Search Engine (SEO) results manipulatedSQL injection used to manipulate search engine results
Faithless (band)2016-0120,000 fans had their personal details stolen.Faithless Fans Suffer Data Breach thanks to SQLi Flaw
Network Management System Products2015-12various network products from various manufacturers are vulnerable and can disclose data about the internal infrastructure.SQL Injection, XSS Flaws Found In Network Management System Products
UN Climate Change Summit website2015-11leaded data with usernames passwords, email, etc.Anonymous Hacks UN Climate Change Summit Website to Protest French Police Brutality
VTech2015-11Info on 4.8 million people who bought kids toys. Names, email, home address, passwords, etc.One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids
TalkTalk2015-10Info on 4 million customers including personal details, passwords, credit card numbers#TalkTalk: SQL Injection Possible Vector for ISP Breach
Joomla Sites2015-10Various attackers against various Joomla sites exploiting recently published sql injection vulnerability.Attackers Targeting Unpatched Joomla Sites Through SQL Injection Vulnerability - See more at: https://threatpost.com/attackers-targeting-unpatched-joomla-sites-through-sql-injection-vulnerability/115179/
MySQL servers2015-10Chikdos trojan infection of MySQL servers as prequel to possible DDoS attacksMySQL database servers hit by SQL injection exploit – widespread DDoS risk could follow
Patreon2015-1015GB of user data including encrypted passwords, donation records and source code.Gigabytes of user data from hack of Patreon donations site dumped online
Planned Parenthood2015-07multiple databases downloadedPlanned Parenthood Reports Hack Attack
Smart home hubs2015-07smart-home hubs tested and found open to sqliHubs Driving Smart Homes Are Vulnerable, Security Firm Finds
Gaana Music Service2015-05User data exposed for 12.5 million users.Indian music streaming service Gaana hacked, millions of users details exposed
Telstra corporate network2015-05corporate network accessedUnknown attackers used SQL injection to gain access to corporate network
World Trade Organization2015-05Personal data on 53,000 peopleAnonymous Hacker breached WTO database and Leaked data of internal staff
Magento e-commerce software2015-0498,000 online merchants at riskPotent, in-the-wild exploits imperial customers of 100,000 e-commerce sites
Mapp.nl2015-04157,000 email addresses and passwordsHackers Steal Data from MAPP.NL Clients
SAP2015-04flaw in medical app allows access to medical records database. Researchers found SQL injection flaw in SAP medical app, allow other apps to get access to EMR Unwired database
University of Sydney2015-02Personal details of 5,000 students16-year-old claims to be behind USyd data breach
Banque Cantonale De Geneve BCGE2015-0130,000 private emails takenRex Mundi Hackers Blackmail Swiss Bank
Archos2014-12Personal data for 100,000 peopleUp to 100K Archos customers compromised by SQL injection attack
Aussie Travel Cover2014-12Personal data for approx 800,000 people leakedPrivate details leaked after travel insurance company hacked
Indiana Dept of Education2014-11Drupal SQL injection used to deface siteMistaken identity: Indiana Dept. of Education hacked a second time
Drupal2014-10Drupal v7 based websites vulnerable to attackSQL injection flaw opens Drupal sites to attack
Wordpress security plugin2014-09Potentially 400,000 installations. No breach reported yet.Researchers discover two SQL injection flaws in WordPress security plugin
Over 400,000 websites2014 botnet using SQL injection to pull data from sites both large and smallRussian Hackers and What it Means for Your Website
Wall Street Journal2014-08SQL injection exposed databaseSQL injection flaw in Wall Street Journal database lead to breach
Wall Street Journal2014-07database with unknown content stolen.SQL injection flaw in Wall Street Journal database led to breach
ZOPH web photo album2014-05unknown if exploit has been used.XSS / SQL injection vulnerability in Zoph
Tesla2014-03Research accessed customer records and administrative areas of siteResearcher finds SQL injection vulnerability on Tesla website
Johns Hopkins University2014-03Data published on 878 students from biomedical engineering serversHacker breaches Hopkins server, but officials say identity theft not a concern
Tesla2014-02White hat discoveredTesla Motors blind SQL injection
Chinese Chamber of Commerce2013-11names and contact info of public officials publishedHackers leak data from Chinese of Chamber of Commerce website
US Federal (Army, NASA, DOC, ...)2013-11> 100,000 user infoFBI Blames Federal Hacks on Anonymous Campaign
Racing Post2013-10677,000 accounts compromisedRacing Post website SQL injection attack compromises 677K accounts
Marketwired, Business Wire, PR Newswire2013-10$100 million in insider trading over 5 years.How Hackers Made Million by Stealing One News Release
Sebastian ISP / Banks2013-10$100,000 from bank accountsHacker group claims to have looted 0k via SQL injection attack
WHMCS2013-10extract or modify sensitive information in client management, billing and support applicationWeb hosting firms at risk from critical vulnerability in WHMCS billing and support system
Ubuntuforums.org2013-07forum defaced, email addresses and encrypted passwords accessed.Ubuntu forum defaced, breached by hackers PC World
Istanbul administration site2013-06claimed to erase debtsRedHack Breaches Istanbul Administration Site, Hackers Claim to Have Erased Debts
Worldview Ltd2013-06payment card details for 3,800 customersICO issues warning over SQL injection flaws as travel firm fined £7,500
HITRUST2013-05111 records and test dataHITRUST SQL Injection Exposes 111 Records, Test Data
LivingSocial2013-0450 million customers at risk from breach that was probably SQL injection.LivingSocial Says Cyberattack Puts Data Of 50 Million Customers At Risk
Islami Bank Bangladesh2013-01Vulnerability reported by grey hat hackerIslami Bank Bangladesh website hacked by Human Mind Cracker
Credit Populaire d'Algerie (CPA) Bank2013-01reported by grey hat hackerAlgerian Bank CPA hacked by Tunisian Hacker
Central Bank of Tunisia, Bank of Tunisia2012-12reported by grey hat hackerTunisian hacker - Human Mind Cracker - discovered SQLi vulnerability in Tunisian Bank sites
Yahoo2012-12UnknownImperva report examines dangers of third-party code for cloud security
FBI, Nasa2012-121.6 Million email address, passwords, and more.GhostShell claims breach of 1.6M accounts at FBI, NASA, and more
Maldives Health Ministry2012-12database partially publishedMaldives health ministry hacked by group claiming to be anonymous
Adobe2012-11150,000 emails & passwordsDark Reading
53 colleges and universities: Harvard, Stanford, Cornell, Princeton, etc. 2012-1036,000 email addresses, and thousands for usernames, passwords, phone numbers and addresses.Hackers breach 53 universities and dump; thousands for personal records online
US Chamber of Commerce in France2012-09email addresses and passwords disclosedDeletesecs Hack into US Chamber of Commerce Not So Much
Domino's Pizza2012-0937,000 accounts with address, phone, name, email, & passwords in plain textDominos India website hacked, customer info leaked
Bit92012-07Security company became a platform to launch security attacks.Hacking victim Bit9 blames SQL injection flaw
Yahoo2012-07450,000 plain text passwordsYahoo fixes password-pilfering bug, explains who's at risk
LinkedIn2012-066.5 million hashed passwordsLinkedIn hack and lessons for your company Update: LinkedIn Confirms Account Passwords Hacked
Wurm Online2012-05malicious web pages served.Wurm Online restructuring
Ingenicard2012-03 - 2012-12estimated financial fraud losses $9 millionCard Fraud Scheme: The Breached Victims
Gamigo2012-0311 million hashed passwords, 8 million email addressesSQL-Injection (Gamigo, Elite, FanPages) 11 million passwords from hacked game website dumped online
mes-conseils.fr - French web hosting company2011-11large data dumpCommunique sur la fuite de donnees personnelles de lump
Royal Navy website2011-11site compromised Royal Navy website attacked by Romanian hacker
La Poste website (French postal service)2011-09Vulnerability publishedLa Poste FR Website SQL Injection
Nokia2011-08unknown number of forum users credentialsHackers breach Nokia developer community
Sony Pictures2011-061 million user credentialsNew Sony Hack Claims Over a Million User Passwords
Diners Club Singapore2011-06500,000 Diners card numbers stolen estimated loss $312,000Card Fraud Scheme: The Breached Victims
PBS2011-06site content altered.PBS Breached: How Hackers Probably Did It
Citigroup2011-06personal details on more than 200,000 customers.Revealed: How Citigroup hakers broke in through the front door using banks website
Sony Music2011-05"relatively small"Sony Music Japan hacked through SQL injection flaw
Broadband Networks2011-04over 90,000 usernames and passwordsBroadband DSLReports.com
Barracude Networks site2011-04names and contact informationHackers disclose SQL injection of Barracuda website
Sony Playstation Network2011-047+ million user personal detailsHow the PlayStation Network was Hacked
MySQL.com2011-03unknown quantity of user credentialsMySQL Website Falls Victim to SQL Injection Attack
Visa Jordan2011-02 - 2011-03800,000 card numbers exposedCard Fraud Scheme: The Breached Victims
eHarmony ancillary site2011-02user names, email addresses and hashed passwordsSome eHarmony user information stolen
HBGary Federal2011-02site compromised, emails and credit card numbers taken.With arrests HBGary hack saga finally ends
Global Payments2011-01 - 2012-03950,000 card numbers stolen estimated loss $92.7 millionCard Fraud Scheme: The Breached Victims
Twin America LLC d.b.a City Sights NY2010-12cardholder information for 111,000 credit cardsSQL Injection Blamed for New Breach
Swedish Election Authority2010-09attempts to manipulate election dataDid Little Bobby Tables migrate to Sweden
Neo Beat2010-0812,000 credit card dataHackers steal customer data by accessing supermarket database
Euronet2010-07 - 2011-102 million card numbers compromisedCard Fraud Scheme: The Breached Victims
Pirate Bay2010-074 million names, email addresses and IP addressesPirate Bay Hack Exposes User Booty
RockYou2009-12account data for 32 million people (stored in plain text)RockYou Hacker: 30% of Sites Store Plain Text Passwords
WordPress sites2009-09large quantity of hacked sites using WordPress software and MySQLWordPress SQL Injection – Latest Attack
RideMatch2009-09sensitive details of military personnelWebsite exposes sensitive details on military personnel
Army Servers2009-05army servers penetrated, web site defacedAnti-U.S. Hackers Infiltrate Army Servers
Various web sites in China and Taiwan2008-05implanted malwareMass SQL Injection Attack Targets Chinese Web Sites
Kapersky Malaysian web site2008-07site defacedKapersky's Malaysian site hacked by Turkish hacker
Oklahoma Dept of Corrections2008-04sensitive data leaked including 10k+ social security numbers and sex offender dataOklahoma leaks tens of thousands of social security numbers, other sensitive data
United Nations, UK, US government web sites2008-04sql server exploit to infect systemsMass Attack FAQ
Dexia Bank2008-02 - 2009-02malware exposing credit cards resulting in $1.7 million lossCard Fraud Scheme: The Breached Victims
Wet Seal2008-01unspecified number of card details exposedCard Fraud Scheme: The Breached Victims
Heartland Payment Systems2007-12130 million card numbers stolen estimated loss $200 millionCard Fraud Scheme: The Breached Victims
Hannaford2007-114.2 million card numbers stolenCard Fraud Scheme: The Breached Victims
JC Penney2007-10undetermined amount of card dataCard Fraud Scheme: The Breached Victims
Microsoft UK2007-06web page defacedHacker defaces Microsoft UK web page
NASDAQ2007-05login credentials stolenCard Fraud Scheme: The Breached Victims
7-Eleven2007malware install that stole payment card numbersCard Fraud Scheme: The Breached Victims
Incredibleindia.org2006-03unknown use of known exploitSQL Injection in incredibleindia.org
Rhode Island government web site2006-0353,000 credit card numbersRussian hackers broke into a RI GOV website
Information Security Magazine2006-01customer and member information stolenTeenage hacker facing court case for data theft
Guess2002-03leaking credit card numbersGuesswork Plagues Web Hole Reporting

parasoft-ad-security

18 thoughts on “SQLi Hall-of-Shame”

Leave a Reply

Ranting about Software, Security and Tech