Sony hacked again, 1M passwords hit

Hackers struck anew against Sony, breaking into the website of its movie arm Sony Pictures and posting the stolen data online. LulzSec, which had earlier broken into the sites of Sony Music Japan and Public Broadcasting Service earlier, claimed to have compromised the private data of over a million Sony Pictures customers. "We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 "music codes" and 3.5 million 'music coupons,'" it said in a release on its website. It pointed out that none of the data on the hacked Sony sites, including the users' passwords, was encrypted. LulzSec added the collection of data it posted online included databases from Sony BMG Belgium and Netherlands. Among the supposed data LulzSec claimed to have posted on its site were those of Sonypictures.com, such as:

• Sonypictures.com AutoTrader users database
• Sonypictures.com Sony Wonder coupons database
• Sonypictures.com Sony Wonder.music codes database
• Sonypictures.com Seinfeld Del Boca Vista database
• Sonypictures.com database tables
• Sonybmg.nl partners and admins database
• Sonybmg.be users database "SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?" LulzSec said. "What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it," it added. Earlier attacks on Sony sites had included those of its mobile phone arm Sony Ericsson's Canadian e-commerce site last May. Online security firm Sophos' Chester Wisniewski said the information disclosed includes approximately 150,000 records. "This sounds like a broken record... Passwords and sensitive user details stored in plain text... Attackers using 'a very simple SQL injection' to compromise a major media conglomerate," he said in a blog post. Worst of all was that the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point, he said. He added companies collecting information from their customers have a duty to protect that information as well. "In addition to employing proper encryption to protect against theft or loss, companies should work with reputable penetration testers to validate their security plans," he said. — TJD, GMA News