In what seems to be an apt visualization of the adage “when it rains, it pours,” hackers have been poring over Sony’s websites with an increased vengeance over the past few weeks in the wake of the attacks on the PlayStation Network. Next up: Sony Pictures Entertainment, the movie-making division of Sony.
According to a statement attributed to the hacker group LulzSec posted at pastebin.com, the compromise is profoundly embarrassing:
Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?
What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.
The hacker group, LulzSec aka The Lulz Boat, this week also implicated themselves in several defacements of the PBS website in the wake of programming about Wikileaks. After repeatedly compromising the websites for PBS, they probably rolled up around on Sony and saw them as a soft target already suffering under heavy precipitation and blows from other compromises perpetrated in the past month.
The group claims to have infiltrated the website with a simple SQL-injection hack (an extremely common exploit that uses an underlying database to execute code that permits hackers access to otherwise invisible data.) Although, Sony hasn’t been available for comment on this particular breach, so it’s unknown if that’s the actual vector used by the hackers to enter the website.
Also according to the pastebin “press release” LulzSec has made available a boatload of information that they uncovered in Sony’s databases.
“[We] compromised over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts,” the group claims. “Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes’ and 3.5 million ‘music coupons’.”
Proof of their prowess has been uploaded to torrent website The Pirate Bay and other venues and is spreading far and wide as this article makes its own digital rounds of the Internet.
As a corporation, Sony runs as data-silos—mostly disconnected large databases that serve individual arms of the company—as a result, each of its divisions have their own security and are largely disconnected from one another. This is why one breach doesn’t take everything from them; but it does mean that each individual subdivision faces its own security concerns and follows its own guidelines.
Chances are other divisions of Sony will find themselves targeted next. LulzSec and other hacker groups obviously have an axe to grind against them and the more devastation they reap the greater the achievement they feel they’ve earned, if the pastebin press release is to be believed.
[...] No, whatever happened or didn’t happen to them at E3 2010 takes a back seat to the takedown of the PlayStation Network by hackers that lasted nearly a month and has cut deeply into the credibility of both the service and the company. Now that Sony has a huge press event to stand up and speak at, we expect them to have something to say about how they handled that debacle, possibly including what they intend to do to prevent it in the future—and all this while they’re still under fire from other hacker groups. [...]
[...] of that year. Not only did the PlayStation Network go dark, but after it came back online, Sony kept getting hammered by further breaches to various websites and properties they own—and the variety of hackers [...]
[...] Sony Hacked Again, Over 1m Accounts Compromised Claims LulzSec In what seems to be an apt visualization of the adage “when it rains, it pours,” hackers have been poring over Sony’s websites with an increased vengeance over the past few weeks in the wake of the attacks on the … Continue reading ? Sony Hacked Again, Over 1m Accounts Compromised Claims LulzSec is a post from: SiliconANGLE We’re now available on the Kindle! Subscribe today . Read more on SiliconANGLE [...]
[...] after the the first and biggest one was carried out: the passwords of over 1,000,000 customers were compromised, all contributing to the shut down the popular gaming network for an extended period of time. The [...]
[...] one of any highly visible website who haven’t locked down their security. They started out small, copycatting the apparent sophisticated hack against Sony that took down the PlayStation Network in April, moved onto hit Nintendo (albeit gently), and ran [...]
[...] Morrowind and its upcoming sequel Skyrim. This comes in the wake of LulzSec exposing passwords from Sony and a porn industry network, picking a fight with the FBI and NATO, and “nicely” hacking [...]
[...] Morrowind and its upcoming sequel Skyrim. This comes in the wake of LulzSec exposing passwords from Sony and a porn industry network, picking a fight with the FBI and NATO, and “nicely” hacking [...]
[...] one of any highly visible website who haven’t locked down their security. They started out small, copycatting the apparent sophisticated hack against Sony that took down the PlayStation Network in April, moved onto hit Nintendo (albeit gently), and ran [...]
[...] software in order to find intrusion points and steal data—insofar they have managed to strike Sony, hack Nintendo, the U.S. Senate and software publisher Bethesda, and even a pornography industry [...]
[...] hacker team, LulzSec, has made a celebrity name for themselves by penetrating game websites (e.g. Sony) and PR websites related to government entities like Senate.gov and Infragard. In doing so, [...]
[...] speculation about the Sony PlayStation Network shutdown and series of hacks against their infrastructure may have been connected to their attitude about DRM infuriating hackers into lashing out at them. [...]
[...] asked about his involvement in the LulzSec 50-days-of-hacking, Sabu mentions his involvement in the Sony password compromise hack (not the one that took the PlayStation Network offline) and hacks against FBI affiliates. He [...]
[...] EC2 instances? And could you forget what happened to Sony PlayStation Network, when they got hacked a couple of times and when Jack Tretton, Sony’s President and CEO, made public his thoughts regarding the [...]
[...] their reign of mayhem, LulzSec used Pastebin repeatedly to make announcements and impromptu anonymous press releases about their exploits. The usefulness seemed obvious: [...]