Hackers Lulzsec Say Sony Pictures Attacked, 1 Million Users Compromised (UPDATE)
*Scroll down for update*
Sony reportedly suffered yet another hack attack on Thursday.
This time, a group of hackers claims to have accessed the SonyPictures.com servers and compromised personal data belonging to one million customers, which the group said it then posted in a file on its website.
Hacker group LulzSecurity, fresh off its retaliatory attack on a PBS website over a Wikileaks documentary, claimed responsibility for the Sony hack.
In a release posted on the group's website, the hackers claimed they obtained "personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts." The group also claimed that the hack "compromised all admin details of Sony Pictures (including passwords) along with 75,000 'music codes' and 3.5 million 'music coupons.'"
"The hackers published a massive amount of email addresses, user names and passwords, as well as coupon codes. Anyone that's registered on the site should be concerned their data was exposed," Jeremiah Grossman, CTO of WhiteHat Security, told The Huffington Post in an email. "This type of attacks exposes [one] of the fundamental flaws that most companies take to risk management. Focusing on securing your primary site (such as a purchasing site) leaves secondary sites exposed, and they often contain valuable customer data."
Shockingly, Lulzsec alleged that Sony left this information unencrypted and exposed to relatively elementary attacks:
Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?
What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.
While working to recover from the massive PlayStation Network hack that affected millions of customers around the world in April, Sony faced harsh criticism for the network's vulnerabilities and eventually promised that PSN security had been dramatically increased. If Lulzsec's accusations about Sony Pictures are true, Sony may have to rethink security measures for all its online properties.
Sony reportedly spent over $170 million after the PSN hack to cover the cost of identity theft insurance for customers, hacking investigators, tighter site security and more. The company even hired a Chief Information Security Officer. Even still, Sony has asserted that "no system is 100 percent safe."
"Unfortunately we should probably expect more of these types of hacks," Grossman warned.
UPDATE: According to the AP, Sony is "aware of LulzSec's claim and looking into it."
The AP also described accessing the user data posted by the hacker group online:
The data, carried in a plain text file posted to the hacking group's site, appeared to be at least partially genuine. The Associated Press called a number listed by LulzSec as belonging to 84-year-old Mary Tanning, a resident of Minnesota. Tanning picked up the phone, and confirmed the rest of the details listed by LulzSec – including her password, which she said she was changing.
"I don't panic," she told the AP, explaining that she was very seldom online and wasn't wealthy. "There's nothing that they can pick out of me," she joked.
If confirmed, the breach would deal yet another blow to Sony, which suffered a massive cyber-attack in April that targeted credit card information through its PlayStation Network and Sony Online Entertainment networks. Company executives on Thursday faced questions from U.S. lawmakers over why consumers weren't informed more quickly about the breach. Over 100 million user accounts were affected and the company only recently was able to restore service.