In a statement, hacker 'NullCrew' claimed to have hit the electronics giant and posted information gained from its systems after taking control of eight servers. It said that it had a list of usernames, email addresses, passwords and other information that appeared to be related to Sonymobile.com.
The statement, which is no longer on Pastebin, read: “Sony, we are dearly dissapointed [sic] in your security. This is just one of eight sony servers that we hve [sic] control of. Maybe, just maybe considering IP addresses are avaliable [sic]. Maybe, just maybe it's the fact that not even your customers can trust you. Or maybe, just maybe the fact that you can not [sic] do anything correct technologically."
The list included 441 usernames with additional email addresses, 24 usernames with hashed passwords and three admin data sets. In an email to SC Magazine, a spokesperson for 'Official Null', who revealed his name to be 'Jonah', said that it 'got the data using SQL Injection'.
He said: “Of course, the server was terribly insecure, so we shelled the Sony Mobile site using 'INTO OUTFILE'. Now we've managed to gain access to eight different servers since we only had shelled one.”
However he also revealed that that the group is no longer planning to sell the data. “I'm not selling anymore because I'll probably release more data (for example on PSN) in the future,” he said.
'Jonah' did not respond to further emails in regard to where the SQL Injection vulnerability was, however he did say that it did directly target Sony. Regarding affiliation to other hacktivist groups or previous actions against Sony, which were prevalent last year, he said it was not directly associated with Anonymous, however it did support most of their operations.
Sony issued a statement confirming the hack saying that no credit card information was compromised in the attack and mostly users of its mobile unit in China and Taiwan were impacted. It also said it did not know the source of the attack.