The IT guy over at Sony Towers must be getting pretty annoyed at this stage. Having just managed to restore the PlayStation Network (PSN) following one of the largest cyber-attacks in the history of the Internet, they now face another highly embarrassing breach where 1,000,000 Sony Pictures accounts were compromied.
Yes, it’s happened again. A group of hackers calling themselves LulzSec last night published on the internet a portion of the one million accounts they hacked including usernames, passwords, names, addresses, phone numbers and dates of birth. Lulzsec are the group behind the hack of the PBS website last week when a fake story about rapper Tupac being alive and living in New Zealand was posted for a number of hours. In a post on its website, which is currently offline, the group outlined what they did and, most worryingly for Sony and its customers, just how easy it was for them breach the security:
We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 "music codes" and 3.5 million "music coupons."
LulzSec describes itself as a small group of hackers who feel “the drabness of the cyber community is a burden on what matters: fun.” The breach of SonyPictures.com was done with a very simple SQL injection, one of the most primitive and common vulnerabilities. “From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?” All of the data compromised was stored in plain text, which according to the hackers means “they were asking for it." LulzSec, which is based in the Bahamas, has even posted the code used online to allow anyone else who wanted to attempt the hack to do so for themselves. This will add to the embarrassment for Sony who are still trying to recover from last April’s breach. While this breach is a lot less damaging and was done for fun rather than financial gain, it has been picked up by media outlets throughout the world and will further damage Sony’s already battered reputation.
Associated Press managed to contact one of the people whose private information was published, an 84-year-old Elizabeth Smith, who confirmed the username and password published were correct and she had now changed them. She added that she was upset that Sony had not managed to protect her details properly.
Sony has yet to comment properly with Sony Pictures Jim Kennedy simply saying it was aware of the claims and they “are looking into these claims.” The IT guy at Sony Towers must be sweating now, wondering when or where the next attack will come.Source: LulzSec