LONDON — Sony has been hit by a second massive data breach, hackers claim, another potential embarrassment for a company that is struggling to restore its image following the loss of millions of credit card numbers through its PlayStation Network.
The hackers, who call themselves LulzSec, said they pulled off what they described as an elementary attack to highlight Sony's "disgraceful" security.
"Every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it," LulzSec said in a statement. "They were asking for it."
Sony Pictures, a subsidiary of Sony Corporation of America, said Thursday it is aware of the LulzSec statement.
"We are looking into these claims," said Jim Kennedy, executive vice president of global communications for Sony Pictures Entertainment.
The data – which includes passwords, email addresses, phone numbers, home addresses, dates of birth – was posted to the LulzSec website and appeared to be at least partially genuine.
The Associated Press called a number listed by LulzSec as belonging to 84-year-old Mary Tanning, a resident of Minnesota. Tanning picked up the phone, and confirmed the rest of the details listed by LulzSec – including her password, which she said she was changing.
"I don't panic," she told the AP, explaining that she was very seldom online and wasn't wealthy. "There's nothing that they can pick out of me," she joked.
Several other people contacted by the AP confirmed that their passwords had been published online. Many were angry and distressed.
"If this is so, I'm very upset," said Elizabeth Smith, from Tucson, Arizona. "I'm very disappointed that Sony would not protect things like that."
Like several others contacted by the AP, Smith said she often entered online sweepstakes – including ones she described as being affiliated with Sony. Neither she nor anyone else reached over the phone said they'd heard from the company about the apparent breach.
Sony Corp. is already is facing questions over why it did not inform consumers more quickly after a massive cyber-attack in April targeted credit card information through its PlayStation Network and Sony Online Entertainment network, compromising more than 100 million user accounts.
At the time, experts warned the attack emboldened hackers and made them more willing to pursue sensitive information.
It is unclear who the members of LulzSec are, or where they're based. The group didn't immediately reply to emails sent to their website's administrative and technical accounts or to a Twitter message posted to the Web late Thursday.
The group's website -- which has a pared-down, 1990s look -- was only registered on Wednesday, according to an Internet records search. The site's registrant is listed as being based in the Bahamas.
LulzSec recently claimed responsibility for hacking the website of the PBS television network to post a fake story in protest of a recent "Frontline" investigative news program on WikiLeaks.
For the past two days, the group has been mocking Sony via Twitter and alluding to a hacking operation.
Posts on the microblogging site through an account linked to the group at times chastise "silly Sony" and "You Sony morons," saying "everything we have will be published in multiple ways to ensure maximum embarrassment and exposure for (Sony) and their security flaws."
Cassandra Vinograd can be reached at http://twitter.com/CassVinograd
Raphael G. Satter can be reached at http://twitter.com/razhael