SQL injection is enough to hack the Hungarian Human Rights Foundation. This is exactly what security pentester Kapustkiy did, together with CyberZeist. The two got access to more than 20,000 accounts and personal information such as phone numbers and home addresses.
Hungarian Human Rights Foundation is easily hacked with an SQL injection.
Kapustkiy told Softpedia that the data breach happened via an SQL injection, which gave him access to databases that contained thousands of accounts. Some of the accounts were related to the US government, having the @state.gov suffix.
The pentester has only leaked some of the accounts, allowing IT admins to fix the flaw that led to the breach.
Softpedia says that he already contacted the Foundation, and they replied they will investigate the breach. However, the website still appears to be running.
Organizations should always be prepared to handle incidents such as data breaches, especially when highly sensitive information is involved. Unfortunately, what happened with the website of the Hungarian Human Rights Foundation is the perfect illustration of the condition of multiple government institutions.
Kaputskiy’s pentesting work has revealed multiple vulnerabilities in high-profile websites, similar to the flaw which enabled him to hack the Italian government website.
Kapustkiy also infiltrated The Dipartimento della Funzione Pubblica.
The Italian government website was hacked last week, via a similar technique. The hacker said he obtained access to 45,000 accounts, more particularly to highly sensitive information such as login credentials, usernames and passwords.
The pentester managed to hack a number of government websites, like the Paraguay Embassy of Taiwan, the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya.
Shortly said, database information of thousands of users turned out to be just an injection away. It’s indeed astounding, how easy it is to hack government websites. The lack of timely reaction on behalf of the affected parties is also mind-boggling. It appears that government entities underestimate the value of personal information, and the ways it could be misused by third parties and black hat hackers.
Sotfpedia says they have contacted the Hungarian Human Rights Foundation for a statement, but still haven’t got a reply. Affected individuals are advised to change their passwords as soon as possible.