Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
SQL injection
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Examples == * In February 2002, Jeremiah Jacks discovered that Guess.com was vulnerable to an SQL injection attack, permitting anyone able to construct a properly-crafted URL to pull down 200,000+ names, credit card numbers and expiration dates in the site's customer database.<ref>{{cite web|url=http://www.securityfocus.com/news/346|title=Guesswork Plagues Web Hole Reporting|publisher=[[SecurityFocus]]|date=March 6, 2002|url-status=dead|archive-url=https://web.archive.org/web/20120709141229/http://www.securityfocus.com/news/346|archive-date=July 9, 2012 |language=en}}</ref> * On November 1, 2005, a teenaged hacker used SQL injection to break into the site of a [[Taiwan]]ese information security magazine from the Tech Target group and steal customers' information.<ref>{{cite web|url=http://www.xiom.com/whid-2005-46|title=WHID 2005-46: Teen uses SQL injection to break to a security magazine web site|publisher=Web Application Security Consortium|date=November 1, 2005|access-date=December 1, 2009|url-status=dead|archive-url=https://web.archive.org/web/20100117054540/http://www.xiom.com/whid-2005-46|archive-date=January 17, 2010 |language=en}}</ref> * On January 13, 2006, [[Russia]]n computer criminals broke into a [[Government of Rhode Island|Rhode Island government]] website and allegedly stole credit card data from individuals who have done business online with state agencies.<ref>{{cite web|url=http://www.xiom.com/whid-2006-3|title=WHID 2006-3: Russian hackers broke into a RI GOV website|publisher=Web Application Security Consortium|date=January 13, 2006|access-date=May 16, 2008|url-status=dead|archive-url=https://web.archive.org/web/20110213051033/http://www.xiom.com/whid-2006-3|archive-date=February 13, 2011 |language=en}}</ref> * On September 19, 2007 and January 26, 2009 the Turkish hacker group "m0sted" used SQL injection to exploit Microsoft's SQL Server to hack web servers belonging to [[McAlester Army Ammunition Plant]] and the [[United States Army Corps of Engineers|US Army Corps of Engineers]] respectively.<ref>{{cite web|url=http://www.informationweek.com/architecture/anti-us-hackers-infiltrate-army-servers/d/d-id/1079964|publisher=[[Information Week]]|title=Anti-U.S. Hackers Infiltrate Army Servers|date=May 29, 2009|access-date=December 17, 2016|url-status=live|archive-url=https://web.archive.org/web/20161220152101/http://www.informationweek.com/architecture/anti-us-hackers-infiltrate-army-servers/d/d-id/1079964|archive-date=December 20, 2016 |language=en}}</ref> * On April 13, 2008, the [[Sex offender registries in the United States|Sexual and Violent Offender Registry]] of [[Oklahoma]] shut down its website for "[[routine maintenance]]" after being informed that 10,597 [[Social Security number]]s belonging to [[sex offender]]s had been downloaded via an SQL injection attack<ref>{{cite web|url=http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx|publisher=[[The Daily WTF]]|title=Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data|author=Alex Papadimoulis|date=April 15, 2008|access-date=May 16, 2008|url-status=live|archive-url=https://web.archive.org/web/20080510115005/http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx|archive-date=May 10, 2008 |language=en}}</ref> * On August 17, 2009, the [[United States Department of Justice]] charged an American citizen, [[Albert Gonzalez]], and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack. In reportedly "the biggest case of [[identity theft]] in American history", the man stole cards from a number of corporate victims after researching their [[Payment processor|payment processing system]]s. Among the companies hit were credit card processor [[Heartland Payment Systems]], convenience store chain [[7-Eleven]], and supermarket chain [[Hannaford Brothers]].<ref>{{cite news|url=http://news.bbc.co.uk/2/hi/americas/8206305.stm|title=US man 'stole 130m card numbers'|publisher=BBC|date=August 17, 2009|access-date=August 17, 2009|url-status=live|archive-url=https://web.archive.org/web/20090818100739/http://news.bbc.co.uk/2/hi/americas/8206305.stm|archive-date=August 18, 2009 |language=en}}</ref> *In July 2010, a South American security researcher who goes by the [[User (computing)|handle]] "Ch Russo" obtained sensitive user information from popular [[BitTorrent]] site [[The Pirate Bay]]. He gained access to the site's administrative control panel and exploited an SQL injection vulnerability that enabled him to collect user account information, including [[IP address]]es, [[MD5]] [[Cryptographic hash function|password hashes]] and records of which torrents individual users have uploaded.<ref>{{cite news |url=http://krebsonsecurity.com/2010/07/pirate-bay-hack-exposes-user-booty/|title=The pirate bay attack|date=July 7, 2010|url-status=live |archive-url=https://web.archive.org/web/20100824183455/http://krebsonsecurity.com/2010/07/pirate-bay-hack-exposes-user-booty/|archive-date=August 24, 2010 |language=en}}</ref> *From July 24 to 26, 2010, attackers from [[Japan]] and [[China]] used an SQL injection to gain access to customers' credit card data from Neo Beat, an [[Osaka]]-based company that runs a large online supermarket site. The attack also affected seven business partners including supermarket chains Izumiya Co, Maruetsu Inc, and Ryukyu Jusco Co. The theft of data affected a reported 12,191 customers. As of August 14, 2010 it was reported that there have been more than 300 cases of credit card information being used by third parties to purchase goods and services in China.{{Citation needed|date=March 2025}} * On September 19 during the [[2010 Swedish general election]] a voter attempted a code injection by hand writing SQL commands as part of a [[Write-in candidate|write-in]] vote.<ref>{{cite web|url=http://alicebobandmallory.com/articles/2010/09/23/did-little-bobby-tables-migrate-to-sweden|title=Did Little Bobby Tables migrate to Sweden?|publisher=Alicebobandmallory.com|access-date=2011-06-03|url-status=live|archive-url=https://archive.today/20120701141648/http://alicebobandmallory.com/articles/2010/09/23/did-little-bobby-tables-migrate-to-sweden|archive-date=July 1, 2012}}</ref> * On November 8, 2010 the British [[Royal Navy]] website was compromised by a Romanian hacker named [[TinKode]] using SQL injection.<ref>{{cite news|title=Royal Navy website attacked by Romanian hacker|date=2010-11-08|url=https://www.bbc.co.uk/news/technology-11711478|access-date=2023-11-15|archive-url=https://web.archive.org/web/20101109044947/http://www.bbc.co.uk/news/technology-11711478|archive-date=2010-11-09|url-status=live|publisher=BBC News|language=en}}</ref><ref>{{cite web|url=http://news.sky.com/skynews/Home/World-News/Stuxnet-Worm-Virus-Targeted-At-Irans-Nuclear-Plant-Is-In-Hands-Of-Bad-Guys-Sky-News-Sources-Say/Article/201011415827544|title=Super Virus A Target For Cyber Terrorists|author=Sam Kiley|date=November 25, 2010|access-date=November 25, 2010|url-status=dead|archive-url=https://web.archive.org/web/20101128093507/http://news.sky.com/skynews/Home/World-News/Stuxnet-Worm-Virus-Targeted-At-Irans-Nuclear-Plant-Is-In-Hands-Of-Bad-Guys-Sky-News-Sources-Say/Article/201011415827544|archive-date=November 28, 2010|language=en}}</ref> * On April 11, 2011, [[Barracuda Networks]] was compromised using an SQL injection flaw. [[Email address]]es and usernames of employees were among the information obtained.<ref>{{cite web|url=http://www.networkworld.com/news/2011/041211-hacker-breaks-into-barracuda-networks.html?hpg1=bn|title=Hacker breaks into Barracuda Networks database|url-status=dead|archive-url=https://web.archive.org/web/20110727234547/http://www.networkworld.com/news/2011/041211-hacker-breaks-into-barracuda-networks.html?hpg1=bn|archive-date=July 27, 2011 |language=en}}</ref> *Over a period of 4 hours on April 27, 2011, an automated SQL injection attack occurred on [[Broadband Reports]] website that was able to extract 8% of the username/password pairs: 8,000 random accounts of the 9,000 active and 90,000 old or inactive accounts.<ref name="DSLReports">{{cite web|url=http://www.dslreports.com/forum/r25793356-|title=site user password intrusion info|publisher=Dslreports.com|access-date=2011-06-03|url-status=live|archive-url=https://web.archive.org/web/20121018190124/http://www.dslreports.com/forum/r25793356-|archive-date=October 18, 2012|language=en}}</ref><ref name="Cnet News">{{cite news|url=http://news.cnet.com/8301-27080_3-20058471-245.html|title=DSLReports says member information stolen|publisher=Cnet News|date=2011-04-28|access-date=2011-04-29|url-status=dead|archive-url=https://web.archive.org/web/20120321203011/http://news.cnet.com/8301-27080_3-20058471-245.html|archive-date=March 21, 2012 |language=en}}</ref><ref name="The Tech Herald">{{cite news|url=http://www.thetechherald.com/article.php/201117/7127/DSLReports-com-breach-exposed-more-than-100-000-accounts|title=DSLReports.com breach exposed more than 100,000 accounts|publisher=The Tech Herald|date=2011-04-29|access-date=2011-04-29|url-status=dead|archive-url=https://web.archive.org/web/20110430234009/http://www.thetechherald.com/article.php/201117/7127/DSLReports-com-breach-exposed-more-than-100-000-accounts|archive-date=April 30, 2011 |language=en}}</ref> *On June 1, 2011, "[[hacktivist]]s" of the group [[LulzSec]] were accused of using SQL injection to steal [[coupon]]s, download keys, and passwords that were stored in plaintext on [[Sony]]'s website, accessing the personal information of a million users.<ref>{{citation|title=LulzSec hacks Sony Pictures, reveals 1m passwords unguarded|date=June 2, 2011|work=electronista.com|url=http://www.electronista.com/articles/11/06/02/lulz.security.hits.sony.again.in.security.message/|url-status=dead|archive-url=https://web.archive.org/web/20110606051745/http://www.electronista.com/articles/11/06/02/lulz.security.hits.sony.again.in.security.message|archive-date=June 6, 2011 |access-date=June 3, 2011|language=en}}</ref> * In June 2011, [[PBS]] was hacked by LulzSec, most likely through use of SQL injection; the full process used by hackers to execute SQL injections was described in this [http://blog.imperva.com/2011/05/pbs-breached-how-hackers-probably-did-it.html Imperva] blog.<ref name="PBS Breached - How Hackers Probably Did It">{{cite news|url=http://blog.imperva.com/2011/05/pbs-breached-how-hackers-probably-did-it.html|title=Imperva.com: PBS Hacked - How Hackers Probably Did It|access-date=2011-07-01|url-status=dead|archive-url=https://web.archive.org/web/20110629080422/http://blog.imperva.com/2011/05/pbs-breached-how-hackers-probably-did-it.html|archive-date=June 29, 2011 |language=en}}</ref> * [[2012 Yahoo! Voices hack|In July 2012]] a hacker group was reported to have stolen 450,000 login credentials from [[Yahoo!]]. The logins were stored in [[plain text]] and were allegedly taken from a Yahoo [[subdomain]], [[Yahoo! Voices]]. The group breached Yahoo's security by using a "[[Set operations (SQL)#UNION operator|union]]-based SQL injection technique".<ref>{{cite web|title=Yahoo reportedly hacked: Is your account safe?|last=Ngak|first=Chenda|website=[[CBS News]] |url=https://www.cbsnews.com/news/yahoo-reportedly-hacked-is-your-account-safe/|archive-url=https://web.archive.org/web/20120714054030/http://www.cbsnews.com/8301-501465_162-57470956-501465/yahoo-reportedly-hacked-is-your-account-safe/|access-date=2012-07-16|archive-date=2012-07-14|url-status=live}}</ref><ref>{{cite web|url=https://www.zdnet.com/article/450000-user-passwords-leaked-in-yahoo-breach/|title=450,000 user passwords leaked in Yahoo breach|last=Yap|first=Jamie|date=July 12, 2012|website=ZDNet|archive-url=https://web.archive.org/web/20140702174127/http://www.zdnet.com/450000-user-passwords-leaked-in-yahoo-breach-7000000772/|archive-date=July 2, 2014|url-status=live|access-date=2017-02-18}}</ref> * On October 1, 2012, a hacker group called "Team GhostShell" published the personal records of students, faculty, employees, and alumni from 53 universities, including [[Harvard University|Harvard]], [[Princeton University|Princeton]], [[Stanford University|Stanford]], [[Cornell University|Cornell]], [[Johns Hopkins University|Johns Hopkins]], and the [[University of Zurich]] on [[Pastebin|pastebin.com]]. The hackers claimed that they were trying to "raise awareness towards the changes made in today's education", bemoaning changing education laws in Europe and increases in [[College tuition in the United States|tuition in the United States]].<ref>{{cite news|last=Perlroth|first=Nicole|title=Hackers Breach 53 Universities and Dump Thousands of Personal Records Online |url=http://bits.blogs.nytimes.com/2012/10/03/hackers-breach-53-universities-dump-thousands-of-personal-records-online/ |newspaper=New York Times|date=3 October 2012|url-status=live|archive-url=https://web.archive.org/web/20121005021105/http://bits.blogs.nytimes.com/2012/10/03/hackers-breach-53-universities-dump-thousands-of-personal-records-online/|archive-date=October 5, 2012}}</ref> * On November 4, 2013, hacktivist group "RaptorSwag" allegedly compromised 71 Chinese government databases using an SQL injection attack on the Chinese Chamber of International Commerce. The leaked data was posted publicly in cooperation with [[Anonymous (group)|Anonymous]].<ref>{{cite web|url=http://news.softpedia.com/news/Hackers-Leak-Data-Allegedly-Stolen-from-Chinese-Chamber-of-Commerce-Website-396936.shtml|title=Hackers Leak Data Allegedly Stolen from Chinese Chamber of Commerce Website|last=Kovacs|first=Eduard|date=November 4, 2013|website=Softpedia News|archive-url=https://web.archive.org/web/20140302164439/http://news.softpedia.com/news/Hackers-Leak-Data-Allegedly-Stolen-from-Chinese-Chamber-of-Commerce-Website-396936.shtml|archive-date=March 2, 2014|url-status=live|access-date=2014-02-27}}</ref> * In August 2014, [[Milwaukee]]-based computer security company Hold Security disclosed that it uncovered [[2014 Russian hacker password theft|a theft of confidential information]] from nearly 420,000 websites through SQL injections.<ref>Damon Poeter. [https://www.pcmag.com/article2/0,2817,2462057,00.asp 'Close-Knit' Russian Hacker Gang Hoards 1.2 Billion ID Creds] {{webarchive|url=https://web.archive.org/web/20170714132244/https://www.pcmag.com/article2/0,2817,2462057,00.asp|date=July 14, 2017}}, ''PC Magazine'', August 5, 2014</ref> ''[[The New York Times]]'' confirmed this finding by hiring a security expert to check the claim.<ref>Nicole Perlroth. [https://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=0 Russian Gang Amasses Over a Billion Internet Passwords] {{webarchive|url=https://web.archive.org/web/20170227073652/https://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=0|date=February 27, 2017}}, ''The New York Times'', August 5, 2014.</ref> * In October 2015, an SQL injection attack was used to steal the personal details of 156,959 customers from British telecommunications company [[TalkTalk Group|TalkTalk's]] servers, exploiting a vulnerability in a legacy web portal.<ref>{{cite web|url=https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/|title=TalkTalk gets record Β£400,000 fine for failing to prevent October 2015 attack|date=5 October 2016|archive-url=https://web.archive.org/web/20161024090111/https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-400-000-fine-for-failing-to-prevent-october-2015-attack/|archive-date=October 24, 2016|url-status=dead|access-date=2016-10-23}}</ref> * In early 2021, 70 gigabytes of data was [[Data exfiltration|exfiltrated]] from the far-right website [[Gab (social network)|Gab]] through an SQL injection attack. The vulnerability was introduced into the Gab codebase by Fosco Marotto, Gab's [[Chief technology officer|CTO]].<ref>{{cite news|last=Goodin|first=Dan|date=March 2, 2021|title=Rookie coding mistake prior to Gab hack came from site's CTO|url=https://arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/|work=Ars Technica}}</ref> A second attack against Gab was launched the next week using [[OAuth2]] tokens stolen during the first attack.<ref>{{cite news|last=Goodin|first=Dan|date=March 8, 2021|title=Gab, a haven for pro-Trump conspiracy theories, has been hacked again|url=https://arstechnica.com/information-technology/2021/03/gab-a-haven-for-pro-trump-conspiracy-theories-has-been-hacked-again/|work=Ars Technica}}</ref> * In May 2023, a widespread SQL injection attack targeted [[MOVEit]], a widely used [[File transfer service|file-transfer service]]. The attacks, attributed to the Russian-speaking cybercrime group [[Clop (cyber gang)|Clop]], compromised multiple global organizations, including payroll provider Zellis, [[British Airways]], the [[BBC]], and UK retailer [[Boots (company)|Boots]]. Attackers exploited a critical vulnerability, installing a custom webshell called "LemurLoot" to rapidly access and exfiltrate large volumes of data.<ref>{{Cite web |date=6 June 2023 |title=Mass exploitation of critical MOVEit flaw is ransacking orgs big and small |url=https://arstechnica.com/information-technology/2023/06/mass-exploitation-of-critical-moveit-flaw-is-ransacking-orgs-big-and-small/ |access-date=9 March 2025 |website=Ars Technica}}</ref> * In 2024, a pair of security researchers discovered an SQL injection vulnerability in the FlyCASS system, used by the [[Transportation Security Administration]] (TSA) to verify airline crew members. Exploiting this flaw provided unauthorized administrative access, potentially allowing the addition of false crew records. The TSA stated that its verification procedures did not solely depend on this database.<ref>{{Cite web |date=8 September 2024 |title=Researchers say a bug let them add fake pilots to rosters used for TSA checks |url=https://www.theverge.com/2024/9/8/24239026/airline-security-bug-tsa-security-database-sql-injection-hack |access-date=9 March 2025 |website=The Verge}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)