This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Sony Pictures hacked, as attackers reveal one million passwords were unencrypted and stored in plain text

Share this article:

Sony was hit by hackers again last night, with its pictures website taken down and around one million passwords stolen.

According to a statement by ‘Lulzsec', it recently broke into and compromised over 1,000,000 users' personal information; including passwords, email addresses, home addresses, dates of birth and all Sony opt-in data associated with their accounts.

It also claimed to have compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes' and 3.5 million ‘music coupons'. It said: “Our goal here is not to come across as master hackers, hence what we're about to reveal: was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now.

“From a single injection, we accessed everything. Why do you put such faith in a company that allows itself to become open to these simple attacks?”

Lulzsec also revealed that ‘every bit of data we took wasn't encrypted', as Sony stored over 1,000,000 passwords of its customers in plain text.

“This is disgraceful and insecure: they were asking for it. This is an embarrassment to Sony; the SQLi link is provided in our file contents and we invite anyone with the balls to check for themselves that what we say is true. You may even want to plunder those 3.5 million coupons while you can,” Lulzsec said.

Sony Pictures have not commented on the attack yet, but did say on its Twitter feed that it was ‘looking into the claims about reports of attacks on Sony Pictures websites'.

Ross Brewer, vice president and managing director of international markets at LogRhythm, said: “What is interesting about this latest Sony attack is that it is the hacking group, rather than Sony itself, who has disclosed the breach. This raises the question: did even know that its network had been compromised?

“Perhaps it did know, but decided not to disclose it. Either way, it will be a major worry to consumers who have entrusted the company with their personal information.”

Chester Wisniewski, senior security advisor at Sophos Canada, said that he had seen some of the information disclosed and many passwords used were faithful, hockey, 123456, freddie, 123qaz and michael.

Wisniewski said: “This sounds like a broken record, passwords and sensitive user details stored in plain text, attackers using ‘a very simple SQL injection' to compromise a major media conglomerate. Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point.

“The take away for the average internet users is clear. Don't trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.”

Stephen Howes, founder and CTO of GrIDsure, told SC Magazine that this was much the same old story that we were seeing on almost a daily basis. He said: “Anyone who stores passwords for people, be they Sony or anyone, have a duty to protect and encrypt them.

“The problem is people use the same password for multiple websites. It is going to be easy for hackers to attack companies and they get their kicks out of attacking the big companies, part of that company's responsibility is to be aware that they will be a target. It is a basic lesson in IT to encrypt sensitive information.”

Mike Smart, solutions director EMEA at SafeNet, said: “Whether the hack had happened or not, Sony has suffered a catastrophic collapse of trust on data protection which continues to cause damage. The solution for Sony and other brands whose reputation has been seriously damaged is that they need to rebuild trust in addition to securing their systems from attacks.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Sandworm vulnerability seen targeting SCADA-based systems

Sandworm vulnerability seen targeting SCADA-based systems

Hard on the heels of the `Sandworm' spy group revealed by iSIGHT Partners earlier in the week, Trend Micro says its has spotted the zero-day vulnerability of the same name ...

Russian-speaking criminals account for £420m of card fraud annually

Russian-speaking criminals account for £420m of card fraud ...

New research claims to quantify the scale of card fraud in Russian speaking circles. And according to Group-IB's analysis over the last year, that fraud clocks in at a hefty ...

Light-based printer attack overcomes air-gapped computer security

Light-based printer attack overcomes air-gapped computer security

Multi-function printers - a route to bypass air-gapped computer security.