Hacker Kapustkiy just managed to break into another government website, this time in Italy where the target was the Dipartimento della Funzione Pubblica.
Specifically, using a simple SQL injection, Kapustkiy got access to a database of no less than 45,000 users, including login credentials for services being handled by Italian cities.
Kapustkiy took to Pastebin to share part of the database, saying that he decided to leak only 9,000 of the entries in order to give time to the Italian authorities to fix the security flaw.
The worst thing, however, is that Italian officials have until now ignored the hacker’s emails, and Kapustkiy told us that he already contacted the site’s administrators to tell them about the breach, but all his messages received absolutely no response.
“I did not get any response from them. I hope that they will look in the database now after this breach and make their security better,” he told us.
We’ve also reached out to the Italian ministry to ask for more information about the hack, but at the time of publishing this article, an answer is not yet available – we will update the post if an official statement is provided.
Kapustkiy has been really busy lately, as he managed to break into several other government websites across the world, including the Paraguay Embassy of Taiwan. Furthermore, he also breached into sites belonging to the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya, leaking database information that includes the details of thousands of users, such as names, phone numbers, and emails.
The Indian government has even issued a public statement to thank the hacker for exposing flaws in their websites, acknowledging that the country needs to do more work to block attacks.
“Thank you for your advice,” Sanjay Kumar Verma, Joint Secretary, eGovernance and Information Technology, said. “We are fixing codes one by one. Your help in probing websites of various Indian embassies is a great help.”
If remains to be seen if the Italian government issues a similar statement, but judging from their lack of response so far, such a thing is very unlikely.