Nokia Developer Forum Hacked, User Records Breached

    August 29, 2011
    Josh Wolford

The AntiSec movement has just claimed another victim – mobile manufacturing giant Nokia was hit with an SQL Injection attack that exposed a “significant” number of user records.

The Nokia Developer Forum site suffered the breach, the credit for which is being claimed by a hacker named pr0tect0r, AKA mrNRG. Users that visited the site were met with a redirect that took them to a page containing a Homer Simpson graphic and the title “Owned by pr0tect0r AKA mrNRG.” The page also featured a scrolling message that read –

LOL, Worlds number 1 mobile company but not spending a dime for a server security! FFS patch your security holes otherwise you will be just another antisec victim. No Dumping, No Leaking!!

Nokia has since been able to repair the site but has issued a statement on the community discussion board that outlines the extent of the attack. Apparently, Nokia was unaware of the scope of the attack at first but now admits that user information such as email addresses, usernames and birth dates were compromised. They also took the site down as a precautionary measure.

Here’s the full statement –

You may have seen reports or received an email from us regarding a recent security breach on this discussion forum.

During our ongoing investigation of the incident we have discovered that a database table containing developer forum members’ email addresses has been accessed, by exploiting a vulnerability in the bulletin board software that allowed an SQL Injection attack. Initially we believed that only a small number of these forum member records had been accessed, but further investigation has identified that the number is significantly larger.

The database table records includes members’ email addresses and, for fewer than 7% who chose to include them in their public profile, either birth dates, homepage URL or usernames for AIM, ICQ, MSN, Skype or Yahoo. However, they do not contain sensitive information such as passwords or credit card details and so we do not believe the security of forum members’ accounts is at risk. Other Nokia accounts are not affected.

We are not aware of any misuse of the accessed data, but we are communicating with affected forum members, though we believe the only potential impact to them may be unsolicited email. Nokia apologizes for this incident.

Though the initial vulnerability was addressed immediately, we have now taken the developer community website offline as a precautionary measure, while we conduct further investigations and security assessments. We hope to get the site back online as soon as possible and will post developments here in the meantime.

This appears to be another attack in a long line of AntiSec attacks that have occurred in recent months. Like this one, many of these attacks serve the purpose of exposing security flaws – a sort of shot across the bow. Some are more serious, like the hack that took down the Playstation Network for weeks and some seem to just want to “prove a point” like the LulzSec attack that defaced the PBS website.