Think Information. Think Security.
 
Picture
There seems to be no more sunshine for Sony. Hack after hack, and each time it happens, we can see how Sony neglected the aspect of information security in their organization.

I cannot believe that such a big company such as Sony, and with millions of customers world wide, would not give priority in securing and their perimeter and even storing the user passwords and PLAIN TEXT! Yes, plain text. Sigh....

A hacker group called LulzSec claim to have compromised SonyPictures.com and gained access to its entire database of over one million accounts.

The group announced late last week that is working on a new Sony hack, but later got distracted with their attack against PBS.org after the network ran a WikiLeaks documentary.

LulzSec claims the method of compromise was SQL injection, an attack that exploits one of the most common type of flaws found in websites today.

"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING," the hackers write.

By EVERYTHING they mean the personal information of over 1 million people who had accounts on the website, 75,000 music codes and 3.5 million music coupons.

Compromised account information includes email addresses, home addresses, dates of birth, Sony opt-in data and, shockingly, plain text passwords.

"Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it," LulzSec says.

Indeed, if Sony failed to encrypt (hash) passwords, it is a major security oversight. This practice has been a standard in web development for years now.

However, while the database can technically be considered compromised because it was accessed by an unauthorized party, it has not been leaked in its entirety.

That's because it was so massive it would have taken LulzSec several weeks to copy the data. The group decided to only extract samples of the information, which they leaked via The Pirate Bay.

Sony hasn't yet officially confirmed the security breach, but it did launch a probe into the group's claims. Given the evidence, however, it's very likely the compromise is real.

And it doesn't stop here, as LulzSec also included various information extracted from the databases of Sony BMG Belgium & Netherlands. This means that more of Sony's web properties have been hacked into.


Editor's Note: Cross post from 



Leave a Reply.