Sony Pictures hacked, as attackers reveal one million passwords were unencrypted and stored in plain text
Sony was hit by hackers again last night, with its pictures website taken down and around one million passwords stolen.
According to a statement by ‘Lulzsec', it recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information; including passwords, email addresses, home addresses, dates of birth and all Sony opt-in data associated with their accounts.
It also claimed to have compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes' and 3.5 million ‘music coupons'. It said: “Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now.
“From a single injection, we accessed everything. Why do you put such faith in a company that allows itself to become open to these simple attacks?”
Lulzsec also revealed that ‘every bit of data we took wasn't encrypted', as Sony stored over 1,000,000 passwords of its customers in plain text.
“This is disgraceful and insecure: they were asking for it. This is an embarrassment to Sony; the SQLi link is provided in our file contents and we invite anyone with the balls to check for themselves that what we say is true. You may even want to plunder those 3.5 million coupons while you can,” Lulzsec said.
Sony Pictures have not commented on the attack yet, but did say on its Twitter feed that it was ‘looking into the claims about reports of attacks on Sony Pictures websites'.
Ross Brewer, vice president and managing director of international markets at LogRhythm, said: “What is interesting about this latest Sony attack is that it is the hacking group, rather than Sony itself, who has disclosed the breach. This raises the question: did SonyPictures.com even know that its network had been compromised?
“Perhaps it did know, but decided not to disclose it. Either way, it will be a major worry to consumers who have entrusted the company with their personal information.”
Chester Wisniewski, senior security advisor at Sophos Canada, said that he had seen some of the information disclosed and many passwords used were faithful, hockey, 123456, freddie, 123qaz and michael.
Wisniewski said: “This sounds like a broken record, passwords and sensitive user details stored in plain text, attackers using ‘a very simple SQL injection' to compromise a major media conglomerate. Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point.
“The take away for the average internet users is clear. Don't trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.”
Stephen Howes, founder and CTO of GrIDsure, told SC Magazine that this was much the same old story that we were seeing on almost a daily basis. He said: “Anyone who stores passwords for people, be they Sony or anyone, have a duty to protect and encrypt them.
“The problem is people use the same password for multiple websites. It is going to be easy for hackers to attack companies and they get their kicks out of attacking the big companies, part of that company's responsibility is to be aware that they will be a target. It is a basic lesson in IT to encrypt sensitive information.”
Mike Smart, solutions director EMEA at SafeNet, said: “Whether the hack had happened or not, Sony has suffered a catastrophic collapse of trust on data protection which continues to cause damage. The solution for Sony and other brands whose reputation has been seriously damaged is that they need to rebuild trust in addition to securing their systems from attacks.”