After Sony finally fully recovered from the PSN hacking incident – reinstating the PlayStation Store yesterday – the company seems to have suffered another embarrassing security breach.
This time it’s the Sony Pictures website which has been compromised by the group known as LulzSec, with rather breathtaking results.
LulzSec claims it accessed the details of a million customers on the SonyPictures.com site, including emails, home addresses, passwords, dates of birth and other info, of which it copied at least 50,000 and then released them onto the net. They also made off with a number of music coupons and codes.
Of course the personal information is the critical part, but the breathtaking aspect is that according to the organisation, the data – including passwords – wasn’t encrypted.
LulzSec wrote: “Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”
“What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.”
Indeed, that is unbelievable, particularly seeing as Sony has evidently had a target painted on its back for hackers since its PS3 legal action began.
After the PSN and Sony Online Entertainment hacks, you’d think the company would be taking time to go around tightening up all its online security. But no, apparently we have flimsy safeguards and passwords stored in plaintext…
Sony hasn’t provided a response yet, but we can expect a surge in online fraud with the many compromised people who use the same passwords for all their accounts.