14 DAY TRIAL // A Lebanese hacker who broke into several Sony web properties until now has leaked a list of email addresses allegedly extracted from the sonymusic.pt database.
The hacker, who goes by the online handle of "Idahc," claims to have identified three vulnerabilities on the Sony Music Portugal website which facilitate SQL injection and cross-site scripting (XSS) attacks.
The SQLi flaw can allow attackers to read information from the site's database and the hacker exploited it to extract data from a table called "email_utilizador."
The 343 records found inside, namely email addresses belonging to Sony customers, were posted on pastebin.com.
Idahc notes that he didn't "dump" the entire database because he is a grey hat hacker, not a black hat one, and he is not interested in causing serious problems.
While the exposure of email addresses is not as bad that of personal or financial information, it can still cause annoyance to affected people who will likely experience an increase in spam as a result.
And because spammers also know that these emails were taken from the Sony Music Portugal website, they can craft convincing emails claiming they were sent by the company.
The number of Sony-related compromises, including this one, that Idahc has taken responsibility for so far, is three. His previous attacks were against the Sony Ericsson Canada and Sony Europe websites.
However, the hacker is not a newcomer. He previously hacked into websites belonging to Edimax, Orange, NASA and even the United States Military.
Idahc stated that he's doing this for fun as part of the "hackers vs. Sony" game in which the LulzSec hacking outfit currently leads with six compromises.
Unfortunately, this competition of who can shame Sony more is also affecting the privacy of consumers and in some cases makes them a target for serious attacks.