Ouch, there's never anything more embarrassing for an IT security vendor than finding vulnerabilities in its own software, or having its own databases hacked. Well, the PR team at Russian anti-malware firm Kaspersky Lab must have had plenty to think about over the weekend, after it emerged that the firm's US portal was hacked.

Now the official line from Kaspersky is that a vulnerability was detected on a "subsection of the usa.kaspersky.com domain", but that the site was only vulnerable for a "very brief period", well, it was eliminated within 30 minutes of detection, anyway. Which is all fair enough, although the firm maintains that the vulnerability wasn't critical and no data was compromised.

The hacker, a chap named Unu, posted details of his SQL injection attack on the HackersBlog site.

"Kaspersky is one of the leading companies in the security and antivirus market. It seems as though they are not able to secure their own data bases," Unu wrote in a posting on the site.

"Seems incredible but unfortunately, its true. Alter one of the parameters and you have access to everything: users, activation codes, lists of bugs, admins, shop, etc."

If he happened to have more malicious intent, he could have gained full access to the back-end database containing customer details, user account numbers and activation codes etc. So the vulnerability was maybe a little bit more critical than Kaspersky was making out. Bad PR or not, firms should really come completely clean when their systems are found to be vulnerable, even if they are security vendors.