Nokia took down a developer website after hackers accessed personal details of smartphone application developers.
The attack followed a defacement of the site last week, where a hacker named as 'pr0tect0r AKA mrNRG' defaced the homepage with a picture of Homer Simpson with the message: “LOL, Worlds number 1 mobile company but not spending a dime for a server security! FFS patch your security holes otherwise you will be just another antisec victim. No Dumping, No Leaking!!”
Nokia said that the website was hosted externally and an investigation found that no sensitive information were accessed.
The second attack targeted users of a developer forum. In an email to its developers regarding the latest security breach, Nokia said that some account credentials had been breached and included user email addresses and public profile information, but not passwords or password hashes. It also said that only seven per cent of the forum users had supplied profile information, which may include instant messaging usernames and a date of birth.
The Nokia announcement said: “You may have seen reports or received an email from us regarding a recent security breach on our developer.nokia.com/community discussion forum. During our ongoing investigation of the incident we have discovered that a database table containing developer forum members' email addresses has been accessed, by exploiting a vulnerability in the bulletin board software that allowed an SQL Injection attack.
“Initially we believed that only a small number of these forum member records had been accessed, but further investigation has identified that the number is significantly larger.
“Database table records includes members' email addresses and for fewer than seven per cent who chose to include them in their public profile, either birth dates, homepage URL or usernames for AIM, ICQ, MSN, Skype or Yahoo. However, they do not contain sensitive information such as passwords or credit card details and so we do not believe the security of forum members' accounts is at risk. Other Nokia accounts are not affected.
“Though the initial vulnerability was addressed immediately, we have now taken the developer community website offline as a precautionary measure, while we conduct further investigations and security assessments. We hope to get the site back online as soon as possible and will post developments there in the meantime.”
Nokia said that it was not aware of any misuse of the data and apologised for the incident.