This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Sony Pictures hacked, as attackers reveal one million passwords were unencrypted and stored in plain text

Share this article:

Sony was hit by hackers again last night, with its pictures website taken down and around one million passwords stolen.

According to a statement by ‘Lulzsec', it recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information; including passwords, email addresses, home addresses, dates of birth and all Sony opt-in data associated with their accounts.

It also claimed to have compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes' and 3.5 million ‘music coupons'. It said: “Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now.

“From a single injection, we accessed everything. Why do you put such faith in a company that allows itself to become open to these simple attacks?”

Lulzsec also revealed that ‘every bit of data we took wasn't encrypted', as Sony stored over 1,000,000 passwords of its customers in plain text.

“This is disgraceful and insecure: they were asking for it. This is an embarrassment to Sony; the SQLi link is provided in our file contents and we invite anyone with the balls to check for themselves that what we say is true. You may even want to plunder those 3.5 million coupons while you can,” Lulzsec said.

Sony Pictures have not commented on the attack yet, but did say on its Twitter feed that it was ‘looking into the claims about reports of attacks on Sony Pictures websites'.

Ross Brewer, vice president and managing director of international markets at LogRhythm, said: “What is interesting about this latest Sony attack is that it is the hacking group, rather than Sony itself, who has disclosed the breach. This raises the question: did SonyPictures.com even know that its network had been compromised?

“Perhaps it did know, but decided not to disclose it. Either way, it will be a major worry to consumers who have entrusted the company with their personal information.”

Chester Wisniewski, senior security advisor at Sophos Canada, said that he had seen some of the information disclosed and many passwords used were faithful, hockey, 123456, freddie, 123qaz and michael.

Wisniewski said: “This sounds like a broken record, passwords and sensitive user details stored in plain text, attackers using ‘a very simple SQL injection' to compromise a major media conglomerate. Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point.

“The take away for the average internet users is clear. Don't trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.”

Stephen Howes, founder and CTO of GrIDsure, told SC Magazine that this was much the same old story that we were seeing on almost a daily basis. He said: “Anyone who stores passwords for people, be they Sony or anyone, have a duty to protect and encrypt them.

“The problem is people use the same password for multiple websites. It is going to be easy for hackers to attack companies and they get their kicks out of attacking the big companies, part of that company's responsibility is to be aware that they will be a target. It is a basic lesson in IT to encrypt sensitive information.”

Mike Smart, solutions director EMEA at SafeNet, said: “Whether the hack had happened or not, Sony has suffered a catastrophic collapse of trust on data protection which continues to cause damage. The solution for Sony and other brands whose reputation has been seriously damaged is that they need to rebuild trust in addition to securing their systems from attacks.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Chinese hackers steal confidential documents on Israeli missile defence system

Chinese hackers steal confidential documents on Israeli missile ...

Chinese hackers comprised the computer systems of three Israeli defence contractors between 10 October 2011 and 13 August 2012 in order to steal hundreds on confidential documents on Israel's Iron ...

Security researcher finds exploitable flaws in 14 antivirus engines

Security researcher finds exploitable flaws in 14 antivirus ...

Joxean Koret, a security researcher at Singapore-based consultancy COSEINC, has found exploitable local and remote flaws in 14 of the 17 major antivirus (AV) engines used by most major AV ...

Russian government promises £60k bounty to Tor hackers

Russian government promises £60k bounty to Tor hackers

The Russian Ministry of Internal Affairs (MVD) is offering a 3.9 million ruble (approximately £64,600) reward to anyone who can find a way of identifying and tracking users of the ...