An SQL injection (SQLi) is a type of cyber attack that targets websites and apps relying on SQL databases.
Basically, hackers inject malicious code into the target using security vulnerabilities and execute their commands. They can then potentially steal sensitive information, modify or delete data, or even take control of the entire server.
Check out these SQL injection attacks statistics and explore the scale of this threat. Let’s go!
Contents
Most shocking SQL injection attacks statistics
A single malicious injection can steal a startling amount of data. Don’t believe us? The numbers don’t lie:
- 42% of hacker attempts on public-facing systems are SQL injection-based.
- 21% of organizations are still vulnerable to SQL threats.
- The largest known SQL injection attack in history stole over 1 billion user IDs and passwords.
- Hackers stole 130 million card details using an SQL injection attack.
- Web Application Firewalls were breached as recently as February 2023.
General SQL injection attacks statistics
Although protection is stronger than ever against this type of malware tech, there’s still a high risk. Let’s take a look:
1. 42% of attacks on public-facing systems are based on SQL injection.
Source: [EdgeScan]
Almost all websites and public-facing systems require backend databases to store data and function properly. So it’s no surprise that some 42% of attacks are SQL injections. The threat extends to internal systems too, but to a lesser degree (12%).
2. SQL injection was the third most serious open web application risk in 2021.
Source: [OWASP]
Open web apps are still at risk of SQL injections. OWASP recorded 274,000 occurrences in 2021, making it the third biggest danger to look out for.
3. SQL injections are used in blended attacks alongside worms and trojans.
Source: [ZDNet]
Blended or mixed-threat attacks combine different types of malware, such as trojans, backdoors, worms, and more. One notable example was the Storm Worm, launched in January 2007.
It injected malicious domains into vulnerable websites to spread the breach further. Eventually, it reached over a million infections and cost millions to repair.
Additionally, it got its name because the initial email spam was titled: ‘230 dead as storm batters Europe.’
Historical SQL injection attacks statistics and facts
Let’s look at some of the most well-known instances of this danger in history.
4. In 2002 Guess.com leaked 200,000 customer details in the first high-profile SQL vulnerability.
Source: [SecurityFocus]
SQL vulnerabilities first started to be recognized in 1998. But it wasn’t until 2002 that the cyber security industry acknowledged them as a widespread problem.
Hackers targeted the online fashion store Guess.com for over 200,000 customer credit card numbers in the first major incident.
5. The largest known SQL injection attack in history stole over 1 billion user IDs and passwords.
Source: [Washington Post]
The biggest coordinated cyber attack involving an SQL injection occurred in 2014. A group of Russian hackers breached 420,000 websites including business and personal pages. They managed to steal 1.2 billion usernames and passwords, though the financial repercussions are unknown.
6. Hackers stole 130 million card details using an SQL injection attack.
Source: [BBC News]
In 2009, Albert Gonzalez and two unnamed Russians exploited a vulnerability in the payment processing systems of 7-Eleven and Hannaford. Additionally, they obtained 130 million credit and debit card details in the biggest case of identity theft in US history.
7. The SQL Slammer attack wasn’t actually an SQL injection.
Source: [GeeksForGeeks]
Despite being one of the most high-profile attacks in history, the SQL Slammer had little to do with SQL injection. In truth, a computer worm was behind it!
It exploited a buffer overflow bug in Microsoft’s SQL server management system. It also targeted internet hosts and slowed down traffic all across the world.
Current SQL injection attacks statistics and facts
Website and app owners have to constantly evolve their security measures as new threats arise.
8. 21% of organizations are still vulnerable to SQL injection attacks.
Source: [VentureBeat]
Modern organizations are still in danger due to outdated systems and a lack of adequate security means. The most vulnerable industries are educational institutions (35%) and government organizations (32%).
9. Web Application Firewalls were breached as recently as February 2023.
Source: [Claroty]
In early 2023, Israeli-American security firm Claroty discovered a new type of SQL injection technique. It managed to bypass Web Application Firewalls (WAFs) with JavaScript Object Notation (JSON) commands. The team was then able to get past the Amazon Web Services WAF and steal an administrator session cookie.
10. GAB lost 70 gigabytes of data to an SQL injection attack in 2021.
Source: [ARSTechnica]
Web attacks aren’t always about making money. They can be political too!
The most recent high-profile incident occurred in 2021. Hackers stole 70 gigabytes of data from the far-right social network GAB. The data contained passwords and private posts.
Furthermore, the breach happened because the platform didn’t clear login tokens stored on browsers and mobile apps.
Wrap up
In conclusion, these SQL injection attacks statistics prove there’s still a significant threat to web applications worldwide. They can result in the loss of sensitive data and financial damage. They can also cause reputational harm!
Moreover, developers must prioritize the implementation of secure coding practices, regular vulnerability testing, and prompt security patching. Only then will they successfully mitigate the risks.
FAQ
The success rate of an SQL injection attack depends on a number of factors. That includes the specific exploitable vulnerability, the hacker’s skill, and the target’s security measures.
Yes, SQL attacks are still very common. In fact, 42% of all threats to public-facing systems are based on this technique.
The most common type is in-band SQL injection. It involves inserting malicious code into a vulnerable SQL query to manipulate the database. Check out the rest of our SQL injection attacks statistics for more cool facts!
Sources
- EdgeScan
- OWASP
- ZDNet
- SecurityFocus
- Washington Post
- BBC News
- GeeksForGeeks
- VentureBeat
- Claroty
- ARSTechnica