Chalk up Barracuda Networks as the latest information security firm to fall victim to a cyberattack.

Hackers, apparently from Malaysia, revealed Monday that they exploited an SQL injection vulnerability on Barracuda's website to raid various databases and hijack the names and contact information of partners, customers and Barracuda employees.

In the post on HMSec Full Disclosure, the hackers published the details of some of the victims. They included partners such as Boston Computers & Peripherals, end-users such as Allied Fire & Safety and Barracuda employees who have access to the email and web security firm's content management system.

Also posted were the passwords, which, according to security experts, appeared to be encrypted by the oft-criticized MD5 hash algorithm, for some of the Barracuda employees and partners. It is not clear if the passwords were "salted," which makes them more difficult to crack.

Barracuda joins RSA, Comodo and HBGary as the fourth high-profile security firm that hackers successfully infiltrated this year. The HBGary compromise also was the result of an SQL injection hole.

"It looks like they [Barracuda] were targeted," Jeremiah Grossman, founder and CTO of WhiteHat Security, a website risk management vendor, told SCMagazineUS.com on Monday. "You don't by accident extract this kind of data and post it to a blog."

Grossman said SQL injection flaws, a known issue within the industry for nearly 15 years, are "for all intents and purposes, a solved problem."

But sometimes discovering the vulnerabilities can be complex given the scale of a web presence.

"Maybe they just slipped up," Grossman said. "It happens. It's happened to us. We'll see how they respond. That should be really telling."

He added that the hackers may have used their initial foothold to gain access to other, more sensitive parts, of the Barracuda network, similar to the tactic taken by the Heartland Payment Systems' attackers to reach credit card data.

A Barracuda spokeswoman declined comment on Monday afternoon as the company investigates.

UPDATE 10:14 P.M. EST: Barracuda has released a blog post detailing the attack.

Learning the Importance of WAF Technology – the Hard Way

Posted by: Michael Perone, EVP & CMO

Wow. What a weekend. In case you haven’t heard, Barracuda Networks was the latest victim of a SQL injection attack on our corporate Web site that compromised lead and partner contact information. The good news is the information compromised was essentially just names and email addresses, and no financial information is even stored in those databases. Further, we have confirmed that some of the affected databases contained one-way cryptographic hashes of salted passwords. However, all active passwords for applications in use remain secure.

So, the bad news is that we made a mistake. The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8 ) after close of business Pacific time. Starting Saturday night at approximately 5pm Pacific time, an automated script began crawling our Web site in search of unvalidated parameters. After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market. As with many ancillary scripts common to Web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees. The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later. We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.

This latest incident brings home some key reminders for us, including that:

You can’t leave a Web site exposed nowadays for even a day (or less)
Code vulnerabilities can happen in places far away from the data you’re trying to protect
You can’t be complacent about coding practices, operations or even the lack of private data on your site – even when you have WAF technology deployed

Before responding prematurely to the press or to anyone else, we wanted to make sure we had time to sift through our logs and do a bit of communication. We’re glad that the impact will be very minimal, but we’re not happy about the amount of bandwidth we’ve spent assessing what happened, responding to affected parties and putting in place the steps to prevent it in the future.

We are working to notify everyone whose email addresses were exposed, and we apologize for the inconvenience.