Security firm Kaspersky Lab revealed on Monday the results of its initial investigation into a weekend breach of its site, finding that no personal information had been viewed by the hacker that used a well-known class of vulnerability to access the database powering the site.

On Saturday, the company was notified by media reports that its U.S. support site contained a flaw that allowed commands to circumvent the site's security and access a customer database. The hacker, which had sent a warning to Kaspersky an hour before publishing information about the vulnerability, used an SQL injection attack to obtain the names of the database tables used by the company, said Roel Schouwenberg, senior antivirus researcher for Kaspersky. While the database also contained 2,500 e-mail addresses, that information was not accessed by the hacker, he said.

Schouwenberg acknowledged that Kaspersky expects its reputation to take a hit, because of the breach.

"This is not good for any company, especially a company dealing with security," he said. "This should not have happened. We are now doing everything in our power to do the forensics in this case, and prevent this from happening ever again."

The company has already hired David Litchfield, principal consultant with NGS Software and an expert in database security, to independently evaluate the breach.

Kaspersky launched its new U.S. support site, which contained the vulnerable code, on January 29, the company said. The initial attack came on Saturday, February 7. On Sunday at 12:00 am ET, Kaspersky took down its support site and, fifteen minutes later, replaced it with the old version, which does not have the vulnerable code, Schouwenberg said.

The company is studying its options for pursuing the hacker, but does not expect cooperation from Romanian law enforcement officials. Kaspersky competes with Symantec, the owner of SecurityFocus.

If you have tips or insights on this topic, please contact SecurityFocus.