Sony Ericsson Store Hacked and Data Leaked

A hacker claims to have hacked Sony Ericsson's Canadian eShop and published data allegedly extracted from the website's database.

The hacker, who goes by the handle of Idahc and says he's from Lebanon, has posted a partial database dump on pastebin.com.

"I am Idahc a Lebanese hacker and I am Back. I hacked The database of ca.eshop.sonyericsson.com with a simple sql injection," the hacker told Softpedia in an email that also includes a screenshot of the attack.

The pastebin.com dump exposes customer real names, email addresses and password hashes. It's not immediately clear if the hacker also managed to extract other, more sensitive, information.

It doesn't seem that Sony or it's subsidiaries can get a break from these attacks and every one of their online properties are fair game for hackers.

Sony Ericsson is a joint venture between Sony and Ericsson established in 2001 and is currently the sixth largest mobile phone manufacturer in the world.

We said in a previous article that the series of Sony compromises has become a sort of game and this is exactly the impression left by Idahc who writes: "Hackers vs Sony - we are the winners."

Its unlikely that these attacks will stop anytime soon, but for the time being Sony is no longer provoking the hackers and eventually they might grow tired.

As for the numerous security holes found in its websites, this is probably to be expected of any large company with a lot of web properties.

Obviously, the fact that it is not alone in this web security mess is not an excuse and hopefully its current problems will encourage others to invest more in security audits for their websites.

After all, it was SQL injection vulnerabilities that led to some of the largest financial data breaches in history. It's also worth to keep in mind that even if a website doesn't host sensitive information, SQL injection can still be used as a point of start for a larger attack.

Update May 24, 2011: The hacker claims he had the possibility to extract much more sensitive information from the database, like credit card details, but didn't because he's not a black hat.