Sony's security problems are not over and new security breaches seem to pop up every week. The latest one involves user information being leaked from the website of Sony BMG Greece.The incident was revealed over the weekend when someone publicly disclosed the stolen information of 8.385 users. However, the actual compromise occurred earlier this month.
The database dump was posted on pastebin.com for everyone to see and it contained usernames, email addresses, passwords and in some cases telephone numbers.
"It appears someone used an automated SQL injection tool to find this flaw. It's not something that requires a particularly skillful attacker, but simply the diligence to comb through Sony website after website until a security flaw is found," says Chester Wisniewski, a senior security advisor at Sophos.
SQL injection vulnerabilities are very common and Sony is not the only large company caught with such holes in its web properties.
Of course, this is no excuse and it outlines the need for better and more frequent website security audits across the industry.
What's more worrying though is the apparent storing of passwords in clear text, which goes against any modern security policy.
Users affected by this breach are strongly encouraged to change their passwords, especially if they also use them on other websites, something which unfortunately a lot of people do.
Because email addresses were also exposed, users should expect an increase in spam and possibly phishing attacks.
Other Sony compromises revealed last week include the stealing of gift points worth $1,225 from 128 So-net Entertainment accounts and the discovery of a phishing page hosted on Sony’s Thailand portal.
Sony has already spent huge amounts of money to respond to recent security incidents and improve its security practices. It's clear that its crackdown on hackers backfired big time and will probably serve as an example to other companies of how not to handle similar situations.
But in the end, Mr. Wisniewski says, "when this is over, Sony may end up being one of the most secure web assets on the net."