The Tech Herald

LulzSec: Sony was asking for it - millions of records compromised (Update 2)

by Steve Ragan - Jun 3 2011, 03:10

Update 2:

Sony has notified 37,500 people due to the breach. The notification letter can be seen here.

Update:

Michael Lynton, the Chairman and Chief Executive Officer, and Amy Pascal, the Co-Chairman of Sony Pictures, issued the following statement today.

"The cybercrime wave that has affected Sony companies and a number of government agencies, businesses and individuals in recent months has hit Sony Pictures as well. Yesterday afternoon a group of criminal hackers known as "LulzSec" claimed to have breached some of our websites.

"We have confirmed that a breach has occurred and have taken action to protect against further intrusion. We also retained a respected team of experts to conduct the forensic analysis of the attack, which is ongoing.

"In addition, we have contacted the U.S. Federal Bureau of Investigation and are working with them to assist in the identification and apprehension of those responsible for this crime. We deeply regret and apologize for any inconvenience caused to consumers by this cybercrime."

Original Article:

Last week, LulzSec said that it was the beginning of the end for Sony. Their statement foreshadowed Thursday’s public release of nearly 140,000 records, just a sample of the data available after LulzSec compromised Sony Pictures. The breach was possible thanks to a single SQL Injection flaw within a promotional page for the movie Ghostbusters.

“We are looking into these claims,” said Jim Kennedy, EVP of Global Communications for Sony Pictures Entertainment, in an emailed statement to The Tech Herald.

The claims come from LulzSec, the group who recently compromised PBS after a negative Frontline story on WikiLeaks. As word of the PBS attack circulated in the media, LulzSec outright warned Sony something was up.

“Hey @Sony, you know we're making off with a bunch of your internal stuff right now and you haven't even noticed? Slow and steady, guys,” a May 31 Twitter post from the group noted.

Addressing the public on Thursday, LulzSec said that a single SQL Injection flaw led them to more than one million clear text passwords, 3.5 million “music coupon” codes, and 75,000 “music codes”.

“SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed everything. Why do you put such faith in a company that allows itself to become open to these simple attacks,” the note from LulzSec said.

“What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.”

The file with the most potential to cause damage is the database dump with 12,500 records, containing names, home addresses, phone numbers, email addresses, usernames, and passwords. In addition, a second file released by the group contains 21,000 email addresses and passwords, each one previously used in a sweepstakes.

“The take away for the average internet users is clear. Don't trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur,” commented Sophos’ Chester Wisniewski.

“Companies collecting information from their customers have a duty to protect that information as well. In addition to employing proper encryption to protect against theft or loss, companies should work with reputable penetration testers to validate their security plans.”

The link used to perform the SQL Injection attack on SonyPictures.com was unavailable at the time this story was written. We’ve asked Sony for additional information, and if they provide it we’ll update this story.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

NBA All-Star LeBron James Teams with Kia

NBA All-Star LeBron James has signed a deal with Kia to be the company’s first luxury ambass...

Classic Car Buying Guide: Hillman Super Minx

What to look for when buying a Classic Car: We use The Hillman Super Minx as an example What...

A Guy Let His Wife Loose With A Sharpie On His Car. What She Did Will Blow Your Mind.

This guy let his wife loose with a sharpie on his Nissan Skyline R33 GTR — and the result is...

2015 Nissan Armada Prices

Nissan has released pricing details for the 2015 Nissan Armada in the US. The 2015 Nissan Ar...

Aquaplaning Danger Highlighted in Video

This UK video highlights the dangers of aquaplaning. When you drive your car over some sitti...