According to the Dailytech newswire, whilst the extent of the damage appears to be limited, some developer data appears to have been lost from the developers.nokia.com servers.
For most customers, says the newswire, only their email address was lost, but for around seven per cent of users, data such as birth dates, homepage URL or user names for instant messaging services was also lost. The good news, however, Infosecurity notes, is that it appears that user names and passwords for the dev forum have not been compromised.
In its weekend posting on the saga, Nokia said that, during its investigations, it researchers discovered that a database table containing developer forum members' email addresses has been accessed, by exploiting a vulnerability in the bulletin board software that allowed an SQL Injection attack.
“Initially we believed that only a small number of these forum member records had been accessed, but further investigation has identified that the number is significantly larger”, says the company.
“We are not aware of any misuse of the accessed data, but we are communicating with affected forum members, though we believe the only potential impact to them may be unsolicited email. Nokia apologises for this incident.”
“Though the initial vulnerability was addressed immediately, we have now taken the developer community website offline as a precautionary measure, while we conduct further investigations and security assessments. We hope to get the site back online as soon as possible and will post developments here in the meantime”, the Nokia posting adds.
According to Graham Cluley, Sophos' senior technology consultant, the first warning that many Nokia developers would have had that something was amiss would have been when they visited the forum and - instead of the usual chit-chat about technical issues, - they were taken to a third-party webp age containing an image of Homer Simpson.
“Passwords and credit card information is not believed to have been exposed - which is a relief for affected members and must be causing a sigh of relief inside Nokia”, he said in his security blog.
“Of course, the forum's suspension is of little consolation for those people who were affected by the security breach - they're now going to wonder if they're going to be on the receiving end of spam campaigns, malicious email attacks and phishing expeditions”, he added.