DEV Community

Cover image for SQL Injection: Real Life Attacks and How it Hurts Business
Jylia Kotova
Jylia Kotova

Posted on

SQL Injection: Real Life Attacks and How it Hurts Business

A single malware request can hurt your business. Vulnerabilities of your code can result in:

  • Significant data theft
  • Loss of your customers' trust
  • Financial losses for you & your users
  • Serious fines from regulatory authorities
  • Getting blacklisted by Google …Brand, traffic, money, customers' relationships, website and even business could all be lost in a moment.

Over the past 20 years, many SQL injection attacks have targeted large and small websites, business and social media platforms. Some of these attacks led to serious data breaches. A few notable examples are listed below.

Breaches Enabled by SQL Injection

Over 100 million payment card records stolen. $200 million paid out in compensation
Heartland, a company specializing in payment, POS, and payroll systems, had been attacked by SQL injection. Heartland suffered irreparable damage, losing a large portion of customers and over $200 million paid out in compensation. Within months of the incident, their stock prices fell 77%.

Data theft on 5 million websites
In 2021, WooCommerce, a popular ecommerce plugin for WordPress CMS, was found that several of its plugins, features, and software versions were vulnerable to SQLi, and several attacks occurred as a result. Unpatched flaws in the plugin exposed data on 5 million websites to theft. Link

Hackers stole 8.3M records via SQL injection
In 2020, Freepik, one of the largest online graphic resources sites in the world with 18 million monthly unique users, says that hackers were able to steal emails and password hashes for 8.3M Freepik and Flaticon users in an SQL injection attack against the company's Flaticon website. Link

36,000 personal data stolen
Hackers targeted 53 universities using SQL injection, stole and published 36,000 personal records belonging to students, faculty, and staff.

130 million credit card numbers stolen
A team of attackers used SQL injection to penetrate corporate systems at several companies, primarily the 7-Eleven retail chain, stealing 130 million credit card numbers.

1500 clients were impact
Kaseya, an IT solutions provider for MSP and enterprise clients, was a victim of a ransomware attack in 2021. Attackers exploited unpatched SQL vulnerabilities in the company’s VSA servers to impact over 1500 of Kaseya’s clients.

Notable SQL Injection Vulnerabilities

3 million WordPress sites had vulnerabilities by critical SEO plugin flaw
Two critical and high severity security vulnerabilities in the highly popular "All in One" SEO WordPress plugin exposed over 3 million websites to takeover attacks. Link

SQLi let to access 350 million user accounts
Fortnite is an online game with over 350 million users. In 2019, a SQL injection vulnerability was discovered which could let attackers access user accounts. The vulnerability was patched.

Tesla vulnerability
In 2014, security researchers publicized that they were able to breach the website of Tesla using SQL injection, gain administrative privileges and steal user data.

Cisco vulnerability
In 2018, a SQL injection vulnerability was found in Cisco Prime License Manager. The vulnerability allowed attackers to gain shell access to systems on which the license manager was deployed. Cisco has patched the vulnerability.

Vulnerabilities in the plugin, used in over 100,000 active sites
In December, 2022, the WordPress online course plugin 'LearnPress' was vulnerable to multiple critical-severity flaws, including pre-auth SQL injection and local file inclusion. Link

Preventing SQL Injection Attack

How to reduce risk and protect code from vulnerabilities we'll talk about in the next article.

Top comments (0)