Sony Web Site Hack Compromises 1 Million Accounts


Sony is reeling from another data breach, when miscreants broke into the computer networks of Sony Pictures and exposed personal information of more than one million customers.

LutzSec, the hacker group behind the Sony Pictures attack, said in a Pastebin.com blog post, that they exploited a security vulnerability on the Sony Pictures Web site with an easily executed SQL injection attack. The LulzSec hacker group also claimed responsibility for a breach of the PBS Web site, which occurred over Memorial Day weekend.

Altogether, the hackers said that they accessed personally identifying information, including passwords, e-mail addresses, home addresses, dates of birth and all Sony opt-in data associated with the accounts of more than 1 million users.

The LulzSec hackers also said that they compromised all admin details of Sony Pictures, as well as 75,000 "music codes" and 3.5 million music coupons, while breaking into other tables from Sony BMG in the Netherlands and Belgium.

“SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING,” the hackers said. “Why do you put such faith in a company that allows itself to become open to these simple attacks?”

LulzSec said that they were only able to publish about 150,000 samples, due to “lack of resources."

Meanwhile, hackers said that they executed the attack in an effort to bring attention to glaring security vulnerabilities within Sony systems, while underscoring the fact that the company failed to adequately protect its sensitive customer data.

“What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it,” the hackers said, adding, “This is an embarrassment to Sony.”

LulzSec also boasted it broke into PBS.org over the holiday weekend to retaliate against a broadcast documentary that they contended was critical of WikiLeaks.

During that hack, attackers published customer and administrator Web site usernames and hashed passwords, along with a fake news story claiming that deceased rapper Tupac Shakur was still alive and living in New Zealand.

The attack against Sony Pictures is the latest in a long string against the electronics giant occurring over the last six weeks, kicked off by a hack against Sony PlayStation Network and Qriosity services in April that compromised at least 77 million customer records. Since then, Sony has been regularly assaulted by hackers in attacks targeting Sony BMG Greece, Sony Thailand, and Japanese subsidiary So-Net services.

Security experts contend that the seemingly endless series of attacks indicates a deep systemic problem in Sony’s security posture.

Next: Experts Say Sony Needs Security Overhaul