Barracuda Networks was hit with an SQL injection attack over the weekend, with partner contact information stolen.
The security firm admitted it "made a mistake" as its own Web Application Firewall sitting in front of the Barracuda website was "unintentionally placed in passive monitoring mode."
The firewall was offline during a maintenance window, which opened late on 8 April after close of business Pacific time, allowing hackers to begin their attacks.
"Starting Saturday night at approximately 5pm Pacific time (1am GMT), an automated script began crawling our website in search of unvalidated parameters," explained Michael Perone, executive vice president and one of the founders of Barracuda, on a blog.
"After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market."
That customer case study database shared the same SQL database used for marketing programmes. The hackers raided the database for names and email addresses of leads, channel partners and some Barracuda employees.
"The attack utilised one IP address initially to do reconnaissance and was joined by another IP address about three hours later," Perone added.
He said the firm was reminded of a number of lessons from the attack, noting "you can't leave a website exposed nowadays for even a day (or less)."
Perone warned against being complacent about coding practices, pointing out vulnerabilities can appear in areas far away from where important data is stored.
"We're glad that the impact will be very minimal, but we're not happy about the amount of bandwidth we've spent assessing what happened, responding to affected parties and putting in place the steps to prevent it in the future," he added.
"We are working to notify everyone whose email addresses were exposed, and we apologise for the inconvenience."
Barracuda wasn't the first firm to get hit by a hack this year. RSA, the security arm of EMC, was targeted by an Advanced Persistent Threat (APT), which saw SecurID token data stolen.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
RSAC Conference 2025: The front line of cyber innovation
ITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
RSAC Conference 2025: AI and quantum complicate securityOrganizations are grappling with the complications of adopting AI for security
-
RSAC Conference 2025 was a sobering reminder of the challenges facing cybersecurity professionalsAnalysis Despite widespread optimism on how AI can help those in cybersecurity, it’s clear that the threat landscape is more complex than ever
-
RSAC Conference day three: using AI to do more with less and facing new attack techniques
-
"There needs to be an order of magnitude more effort": AI security experts call for focused evaluation of frontier models and agentic systemsNews Evaluating the risks of dynamic, evolving AI networks is slow work for cybersecurity analysts
-
Cyber defenders need to remember their adversaries are human, says Trellix research headThere's a growing overlap between nation-state actors and cybercriminals, but these attackers are real people who make mistakes
-
RSAC Conference day two: A focus on new hacking tacticsFrom quantum to AI, experts discussed how new and experimental technologies could be used by hackers to access and decrypt sensitive data
-
RSAC Conference Day One: Vibe Is 'All In' on AI for SecurityNews Artificial intelligence took center stage as RSAC Conference looks at how the discussion has moved from generative AI to agentic AI
