Sony Get Hacked (Again), Data Stored in Plaintext

Just as Sony finishes restoring the Playstation Network after it was compromised and down for weeks, the database of another website of Sony, SonyPictures.com (as well as sonybmg.nl and sonybmg.be), has been hacked. This time, it was done by a group called Lulz Security (LulzSec for short).

LulzSec

They claim that they managed to expose the personal information of 1 million accounts, including usernames, emails, addresses, and passwords.

How did they do this? Through a simple SQL-injection, which is a simple basic method for exploiting a site’s security holes through improper handling of web URL queries, and the fact that Sony stored all data in plaintext. This means that no encryption was used whatsoever, not even for passwords, so it doesn’t matter how strong a password was.

Getting hacked through a simple SQL-injection is very embarrassing for a big corporation like Sony. As a well known company, users trust them to handle their information properly. Especially since they’ve already been hacked a few weeks ago, one would expect that they would immediately work to improve their security.

It is also worth noting that LulzSec had also successfully hacked parts of PBS.org, Fox.com, and Sonymusic.co.jp in the past few weeks.

LulzSec has uploaded a sample of the data they managed to take from the hack. They say that they couldn’t upload everything because it would take too long. Text files with thousands of usernames and passwords are available on their website as well as on torrents.

LulzSec Releases

A screenshot of the list of releases LulzSec posted on their website, which at the time of writing is down, but Google Cache is available

I looked through a sample the group uploaded and indeed, there are emails and corresponding passwords of thousands of users here and in some files, even dates of birth and postal addresses.

Sony Pictures Hacked File

The index file of the publicly uploaded sample from the Sony Pictures hack

As we all know, many users re-use the same passwords everywhere, so their other (possibly more important) accounts (like email) risk getting hacked as well. If you had an account on Sony Pictures (or any Sony website to be on the safe side), change your passwords (including any account using the same one) immediately. Unlike the previous Gawker hack, your password is in plaintext this time.

LulzSec doesn’t appear to have any evil intentions with this data beyond simply showing how terrible the security measures Sony uses are. I actually applaud the hackers for doing this and exposing Sony’s poor security to the world.

Hopefully, after these incidents, Sony will decide to at least encrypt their customer’s data.

What are your thoughts about this incident, particularly about how Sony handles security? Share with us in the comments.

By
Brian is the co-founder of TechAirlines. He is a web developer and manages most of the site’s operations. He is currently a freshman at Stony Brook University, majoring in Computer Science.

  • http://www.dangibbs.co.uk/journal/ Gibbs

    Plain text!? Even in the 70s there was some form of encryption (or more likely encoding). The whole Sony saga is shocking to say the least.

  • Pingback: Senate Subcommittee on Cybersecurity