And here we go again! The hacker organization known as Lulz Security has now set their eyes on Sony and according to them, earlier today, they were able to steal the information of 1 million Sony Pictures customers. The attack was supposedly carried out by SQL injection which is deemed to be a very low level, lower security operation. The attackers since then, released a .RAR file online which is set to contain over 50,000 users email and password to SonyPictures.com accounts. According to Engadget:
We’ve downloaded this file (at our own risk, mind you) and can verify these sensitive bits are now in the wild, though it remains unclear if what’s published matches reality.
The illegal hackers have also released over 20,000 Sony music coupons to the wild. To add further insult to injury, they’ve also released the admin database (including email addresses and passwords) for BMG Belgium employees. I’ve said it before and I’ll say it again, it’s hard for Sony to patch things up over a month, seeing how vast of a company they are with web services and sites in all contents, languages and product categories and offerings. However, seeing how the PlayStation Network attack took place well over a month ago, it’s a surprise to see that low level hacks are being executed on what seems to be high profile segments of the company like Sony Pictures.
Hit the jump for a statement from LulzSec and while your there, share your thoughts with us on this matter. Specifically, do you feel less secure and more hesitant to sign up for a Sony services in the future or do you believe like some security analysts, that after all this is said and done, Sony will be one of the most secure companies on the internet.
Greetings folks. We're LulzSec, and welcome to Sownage. Enclosed you will find various collections of data stolen from internal Sony networks and websites, all of which we accessed easily and without the need for outside support or money. We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 "music codes" and 3.5 million "music coupons". Due to a lack of resource on our part (The Lulz Boat needs additional funding!) we were unable to fully copy all of this information, however we have samples for you in our files to prove its authenticity. In theory we could have taken every last bit of information, but it would have taken several more weeks. Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it. This is an embarrassment to Sony; the SQLi link is provided in our file contents, and we invite anyone with the balls to check for themselves that what we say is true. You may even want to plunder those 3.5 million coupons while you can. Included in our collection are databases from Sony BMG Belgium & Netherlands. These also contain varied assortments of Sony user and staffer information. Follow our sexy asses on twitter to hear about our upcoming website. Ciao! ^_^
[Via Lulz Security]