Nokia Developer Community Database Hacked – Community is closed

Nokia’s issued an important email to it’s developer community members confirming that the Nokia Developer Community’s database has been compromised by exploiting a vulnerability in the bulletin board software. The attack was made by a very common method of gaining unauthorized access to the data and that is “SQL Injection”. It’s been used over months in past compromising many high-profile websites. (what’s SQL Injection? – I have also written about an incident happened with the SQL Injection on one of our websites you can read about that here as an example )

Nokia Claims: The database table records includes members’ email addresses and, for fewer than 7% who chose to include them in their public profile, either birth dates, homepage URL or usernames for AIM, ICQ, MSN, Skype or Yahoo. However, they do not contain sensitive information such as passwords or credit card details and so we do not believe the security of forum members’ accounts is at risk. Other Nokia accounts are not affected.

Nokia has closed the community for an unknown duration while they investigate and assure the security with other accounts and other information on the accounts.

It was wondering when I saw an email in my inbox with the subject saying

“Important information from the Nokia Developer website team‏”

It said a lot in the email.

You may have seen reports or received an email from us regarding a recent security breach on our developer.nokia.com/community discussion forum.

During our ongoing investigation of the incident we have discovered that a database table containing developer forum members’ email addresses has been accessed, by exploiting a vulnerability in the bulletin board software that allowed an SQL Injection attack. Initially we believed that only a small number of these forum member records had been accessed, but further investigation has identified that the number is significantly larger.

The database table records includes members’ email addresses and, for fewer than 7% who chose to include them in their public profile, either birth dates, homepage URL or usernames for AIM, ICQ, MSN, Skype or Yahoo. However, they do not contain sensitive information such as passwords or credit card details and so we do not believe the security of forum members’ accounts is at risk. Other Nokia accounts are not affected.

We are not aware of any misuse of the accessed data, but we have identified that your email address was in one of the records accessed, though it contained none of the optional information, so we believe that the only potential impact to you may be unsolicited email. Nokia apologizes for this incident.

Though the initial vulnerability was addressed immediately, we have now taken the developer community website offline as a precautionary measure, while we conduct further investigations and security assessments. We hope to get the site back online as soon as possible and will post developments there in the meantime.

If you have any questions on this, please contact Nokia.developer-discussions-support@nokia.com.

The Nokia Developer website team.

The website is currently closed with the same notice on the page at Nokia Developer Community

[via Email Notification]