The SQL vulnerability - found by the same hacker who penetrated Kaspersky's website earlier in the year - exposed Symantec ecommerce customers, whose passwords were stored in clear text. It was discovered using the SQL injection tools Pangolin and SQLMap.
"A secured bad parameter allows full access to Symantec servers, allows access to many sensitive data stored on this server. So, it seems quite strange how a company like Symantec, which sells software and security solutions, the famous Norton for example, wants to protect ourselves[sic]", said the hacker, who goes by the name Unu, on his blog. "Instead, it is not able to protect its own database."
The hacker was able to gain access to the C:/ and D:/ drives of the Windows-based servers hosting the Symantec site, which uses SQL Server. He claims to have exposed the entire table structure for the hacked site, and was able to retrieve user details via an SQL query.
Over 70 000 customers' details were allegedly in the hacked Symantec table, although Unu said that he extracted just five samples, which were obfuscated on the website to avoid compromise. He also claims to have exposed over 152 000 product serial numbers from the hacked Symantec website.
"An SQL injection vulnerability has been identified at pcd.symantec.com. The website facilitates customer support for users of Symantec's Norton-branded products in Japan and South Korea only. At this time, we believe that this incident does not affect Symantec customers anywhere else in the world", said Symantec in a statement, adding that the hacked site affected customer support in the two countries, but that it didn't compromise the Norton software itself.
"Symantec is currently in the process of ensuring that the website is appropriately secured and will bring it back online as soon as possible", Symantec concluded.
In the meantime, it remains unclear how many other hackers with fewer scruples may have accessed the Symantec details using the information posted on Unu's blog, which went up on Monday.
The news drew ridicule from online commenters. One, commenting on news of the Symantec hack posted on Trend Micro's blog, said: "As a matter of fact, if php’s scope wasn’t root/global in this case, the hacker shouldn’t have been able to browse the whole server."
Although he has his own blog, Unu regularly submits hack information to the privately registered Hackers blog, and was responsible for posting information about hacks targeting Orange, and the Daily Telegraph, among others.