14 DAY TRIAL // A hacker group called LulzSec claim to have compromised SonyPictures.com and gained access to its entire database of over one million accounts.
The group announced late last week that is working on a new Sony hack, but later got distracted with their attack against PBS.org after the network ran a WikiLeaks documentary.
LulzSec claims the method of compromise was SQL injection, an attack that exploits one of the most common type of flaws found in websites today.
"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING," the hackers write.
By EVERYTHING they mean the personal information of over 1 million people who had accounts on the website, 75,000 music codes and 3.5 million music coupons.
Compromised account information includes email addresses, home addresses, dates of birth, Sony opt-in data and, shockingly, plain text passwords.
"Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it," LulzSec says.
Indeed, if Sony failed to encrypt (hash) passwords, it is a major security oversight. This practice has been a standard in web development for years now.
However, while the database can technically be considered compromised because it was accessed by an unauthorized party, it has not been leaked in its entirety.
That's because it was so massive it would have taken LulzSec several weeks to copy the data. The group decided to only extract samples of the information, which they leaked via The Pirate Bay.
Sony hasn't yet officially confirmed the security breach, but it did launch a probe into the group's claims. Given the evidence, however, it's very likely the compromise is real.
And it doesn't stop here, as LulzSec also included various information extracted from the databases of Sony BMG Belgium & Netherlands. This means that more of Sony's web properties have been hacked into.