UPDATED 12:31 EST / JUNE 03 2011

Sony Hacked Again, Over 1m Accounts Compromised Claims LulzSec

In what seems to be an apt visualization of the adage “when it rains, it pours,” hackers have been poring over Sony’s websites with an increased vengeance over the past few weeks in the wake of the attacks on the PlayStation Network. Next up: Sony Pictures Entertainment, the movie-making division of Sony.

According to a statement attributed to the hacker group LulzSec posted at pastebin.com, the compromise is profoundly embarrassing:

Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?

What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.

The hacker group, LulzSec aka The Lulz Boat, this week also implicated themselves in several defacements of the PBS website in the wake of programming about Wikileaks. After repeatedly compromising the websites for PBS, they probably rolled up around on Sony and saw them as a soft target already suffering under heavy precipitation and blows from other compromises perpetrated in the past month.

The group claims to have infiltrated the website with a simple SQL-injection hack (an extremely common exploit that uses an underlying database to execute code that permits hackers access to otherwise invisible data.) Although, Sony hasn’t been available for comment on this particular breach, so it’s unknown if that’s the actual vector used by the hackers to enter the website.

Also according to the pastebin “press release” LulzSec has made available a boatload of information that they uncovered in Sony’s databases.

“[We] compromised over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts,” the group claims. “Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes’ and 3.5 million ‘music coupons’.”

Proof of their prowess has been uploaded to torrent website The Pirate Bay and other venues and is spreading far and wide as this article makes its own digital rounds of the Internet.

As a corporation, Sony runs as data-silos—mostly disconnected large databases that serve individual arms of the company—as a result, each of its divisions have their own security and are largely disconnected from one another. This is why one breach doesn’t take everything from them; but it does mean that each individual subdivision faces its own security concerns and follows its own guidelines.

Chances are other divisions of Sony will find themselves targeted next. LulzSec and other hacker groups obviously have an axe to grind against them and the more devastation they reap the greater the achievement they feel they’ve earned, if the pastebin press release is to be believed.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU