Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security

June 3rd, 2011, 07:27 GMT · By

Sony Pictures Hacked, Millions of Accounts Exposed

SHARE:

Adjust text size:


One million Sony Pictures accounts compromised
Enlarge picture
A hacker group called LulzSec claim to have compromised SonyPictures.com and gained access to its entire database of over one million accounts.

The group announced late last week that is working on a new Sony hack, but later got distracted with their attack against PBS.org after the network ran a WikiLeaks documentary.

LulzSec claims the method of compromise was SQL injection, an attack that exploits one of the most common type of flaws found in websites today.

"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING," the hackers write.

By EVERYTHING they mean the personal information of over 1 million people who had accounts on the website, 75,000 music codes and 3.5 million music coupons.

Compromised account information includes email addresses, home addresses, dates of birth, Sony opt-in data and, shockingly, plain text passwords.

"Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it," LulzSec says.

Indeed, if Sony failed to encrypt (hash) passwords, it is a major security oversight. This practice has been a standard in web development for years now.

However, while the database can technically be considered compromised because it was accessed by an unauthorized party, it has not been leaked in its entirety.

That's because it was so massive it would have taken LulzSec several weeks to copy the data. The group decided to only extract samples of the information, which they leaked via The Pirate Bay.

Sony hasn't yet officially confirmed the security breach, but it did launch a probe into the group's claims. Given the evidence, however, it's very likely the compromise is real.

And it doesn't stop here, as LulzSec also included various information extracted from the databases of Sony BMG Belgium & Netherlands. This means that more of Sony's web properties have been hacked into.

TELL US WHAT YOU THINK:

2,161 hits · 2 comments · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Sony Ericsson Store Hacked and Data Leaked
Hackers Continue to Exploit Holes in Sony's Web Properties
Sony Security Breaches Keep on Popping Up
Sony Deals with Third Breach
Sony Considers Offering Bounty for Info about Hackers

READER COMMENTS:


Comment #1 by: Eric on 03 Jun 2011, 19:16 UTC reply to this comment

The ethical implications of vigilante hackers looking for a target aside, they are right. Storing passwords in plain text is saying to the world "I do not even pretend to care about security."

Surely someone, at some point, at some time, had to have said "Hey, this isn't secure." But the management at Sony probably said, "Yeah, but we can't afford to fix it." They need to fire a lot of people...if after all their security issues they didn't even bother to check their systems for simple SQL injection vulnerabilities or passwords stored in plain text...they really do deserve it.

This reveals that as an organization Sony hasn't really cared about security because clearly this is a problem on a procedural, organization level all across Sony. I don't know about you, but it makes me not want to give Sony my personal information...ever...as if they need it to begin with.

Comment #1.1 by: Lucian Constantin on 06 Jun 2011, 12:20 GMT

I wouldn't give any company my personal information if I could get away with it. In a world where even security vendors get compromised and lose financial and personal data, I don't think there's any website where data is truly safe.

Unfortunately, sometimes we don't have the luxury of withholding our personal information if we want a service or benefit. For example, last year I bought an ACER notebook warranty extension and I was forced to input my real information into an ACER website in order to register and benefit from it.

ACER's European website was compromised last week (http://news.softpedia.com/news/Hackers-Steal-Customer-Data-from-Acer-s-European-Website-204261.shtml) and customer information was stolen. My country is on the list of compromised ACER customer data.

Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use