Every time you fill out a form, sign up for a newsletter, or log into a website, you enter information into an online system. That information is then filtered and saved in a database. Generally, these strings of data contain information like email addresses, names, and phone numbers. However, this mechanic can be easily exploited, and has been by hackers many times in the past. Large corporations such as Target, Sony Pictures, 7-Eleven, VTech, and Heartland Payment Systems have been targeted by this exploit, known as a Structured Query Language (SQL) injection. SQL injections are used extensively because they can be executed on any web application that uses SQL databases, which many companies and corporations rely on for their reliability and integrity. But these systems are not invincible to attacks, whether they be with malicious or simply curious intent.
How SQL Injections Work

A SQL injection is a well known exploit used to “dump” large amounts of information from SQL databases. These databases process whatever information is entered into an entry field and filter it. This filtering process can vary from website to website, but the basic steps that the system goes through are the same. (fig. 1) For example, a login page filters entries, or queries, based on a simple true or false question based on the given username and password. However, a SQL injection can bypass the password check. On the backend, once the username as well as the correct password associated with it are identified in the database, the system filters the query based on whether or not the given password matches the one in the database already. If it does, the result is true, and this will grant access to the account being logged into. A SQL injection for this situation would be a condition that will always end up as a true result, such as 1=1. (fig. 2) There are many other strings of code that can be used as SQL injections for any entry field on web applications, not just login pages, which is why so many companies have fallen victim to these attacks.

Target
One of such companies is Target. In 2013, the corporation experienced one of the largest retail data breaches in United States history. Investigations over the following months found that attackers first gained access through a third-party vendor connected to Target’s network. After moving through internal systems, the attackers used a drive-by SQL injection vulnerability in a web service connected to the company’s web applications. The injection allowed them to run unauthorized database commands and escalate their ability to view and edit information inside the database. Once administrative access was obtained, the attackers installed malicious software onto the payment terminals of more than 1,800 stores. The software, called BlackPOS, was a memory-scraping malware designed to scan databases for point-of-sale (POS) systems and retrieve cardholder data.

The attackers’ goal was financial gain. The malware scraped credit and debit card information from transactions made at registers, collecting roughly 40 million payment card numbers and personal information from about 70 million customers between November and December of 2013. The stolen data was later sold on markets used for credit card fraud. The breach cost Target hundreds of millions of dollars in settlements, security upgrades, and legal costs. The company ended up needing to replace millions of bank-issued credit cards.
Sony Pictures
In 2011, Sony Pictures Entertainment’s website was compromised by members of the hacking collective LulzSec. The group used a simple SQL injection to compromise Sony’s website database. By inserting malicious SQL commands into vulnerable input fields, like login pages and search bars, the attackers forced the database to return large sets of user records. These records included names, addresses, phone numbers, and email addresses that belonged to Sony account owners.

Members of LulzSec later claimed responsibility publicly and distributed the stolen data online. The group stated that the breach was partly motivated by Sony’s legal actions against people modifying their PlayStation consoles, as well as by the group’s broader goal of exposing weaknesses in the online infrastructure of large corporations. The breach caused an estimated loss of $600,000 for Sony, along with a heap of public criticism of the company’s cybersecurity practices.
7-Eleven

In 2007, hackers led by American cybersecurity expert Albert Gonzalez targeted systems connected to the convenience store chain 7-Eleven. The group used, once again, a SQL injection to gain entry into internal servers used to process payments at stores nationwide. With the use of SQL queries and the vulnerability of 7-Eleven’s web pages, the attackers were able to access the company’s backend database and establish a hidden backdoor that allowed them to return later at their own whim without being detected by monitoring systems.
Once inside the network, the attackers installed packet-sniffing malware that collected credit and debit card data as it was actively processed by store terminals and ATMs. The operation was part of a bigger international fraud scheme targeting major retailers and payment processors. The stolen card numbers were sold though underground forums where buyers used them to produce counterfeit cards. The intrusion formed part of a series of breaches connected to Gonzalez’s group that collectively exposed millions of payment cards and later resulted in long prison sentences for several members of the operation.
Heartland Payment Systems
In 2008, the payment processor Heartland Payment Systems was infiltrated by attackers using a SQL injection against a web application connected to the company’s payment network. The intrusion was carried out by the same hacking group led by Albert Gonzalez that targeted several retailers during its run. After exploiting various vulnerabilities to gain network access, the attackers installed malware that captured card data during payment transactions as they were made. The breach ultimately exposed over 100 million credit and debit card numbers, making it one of the largest payment-processing breaches ever recorded. It resulted in extensive financial penalties and security reforms across the payment industry, as it exposed the dangers that these kinds of companies faced due to weak security systems.
VTech

In 2015, the toy and electronics manufacturer VTech’s online service “Learning Lodge”was breached. This service was used by parents and children who owned the company’s educational tablets. Security researchers discovered that the website contained an undetected SQL injection that allowed the attackers to directly query the backend database. By modifying the website’s input fields, the malicious code allowed for tables of stored user data to be returned to the hackers.
The breach was particularly concerning because it was a service designed for children, an already vulnerable group. Attackers obtained personal data belonging to about 6.4 million children and 4.8 million parents, including names, email addresses, encrypted passwords, and in some cases home addresses. While no financial information was stored in the affected database, as is the case with many of these hackings, the exposure of children’s data led to regulatory investigations and major criticism of the company’s security strength. The incident became a widely cited example of weak cybersecurity protections in internet-linked toys and services made for children.
SQL injections remain one of the most persistent security weaknesses in web applications because they target a basic feature of how a system used by most major corporations operates. When input fields fail to properly separate database commands from regular user input, attackers can manipulate those commands and force the database to reveal or alter information. The breaches of history show how a single vulnerability in a web application can lead to the exposure and exploitation of millions. In each case, hackers used database queries to gain unauthorized access and then extract data or install additional tools that expanded the breach.
These incidents also show that the consequences extend beyond the immediate theft of data. Companies faced financial losses and legal penalties as a result of their weak cybersecurity. Many of them have since adopted stronger protections such as input validation, parameterized queries, and database access controls, which reduce the risk of SQL injection attacks. The continued presence of these vulnerabilities shows that secure coding practices and regular security testing remain necessary for any system that stores sensitive data.
