Just as Sony finishes restoring the Playstation Network after it was compromised and down for weeks, the database of another website of Sony, SonyPictures.com (as well as sonybmg.nl and sonybmg.be), has been hacked. This time, it was done by a group called Lulz Security (LulzSec for short).
They claim that they managed to expose the personal information of 1 million accounts, including usernames, emails, addresses, and passwords.
How did they do this? Through a simple SQL-injection, which is a simple basic method for exploiting a site’s security holes through improper handling of web URL queries, and the fact that Sony stored all data in plaintext. This means that no encryption was used whatsoever, not even for passwords, so it doesn’t matter how strong a password was.
Getting hacked through a simple SQL-injection is very embarrassing for a big corporation like Sony. As a well known company, users trust them to handle their information properly. Especially since they’ve already been hacked a few weeks ago, one would expect that they would immediately work to improve their security.
It is also worth noting that LulzSec had also successfully hacked parts of PBS.org, Fox.com, and Sonymusic.co.jp in the past few weeks.
LulzSec has uploaded a sample of the data they managed to take from the hack. They say that they couldn’t upload everything because it would take too long. Text files with thousands of usernames and passwords are available on their website as well as on torrents.
I looked through a sample the group uploaded and indeed, there are emails and corresponding passwords of thousands of users here and in some files, even dates of birth and postal addresses.
As we all know, many users re-use the same passwords everywhere, so their other (possibly more important) accounts (like email) risk getting hacked as well. If you had an account on Sony Pictures (or any Sony website to be on the safe side), change your passwords (including any account using the same one) immediately. Unlike the previous Gawker hack, your password is in plaintext this time.
LulzSec doesn’t appear to have any evil intentions with this data beyond simply showing how terrible the security measures Sony uses are. I actually applaud the hackers for doing this and exposing Sony’s poor security to the world.
Hopefully, after these incidents, Sony will decide to at least encrypt their customer’s data.
What are your thoughts about this incident, particularly about how Sony handles security? Share with us in the comments.