Sony Pictures attacked again, 4.5 million records exposed

Filed Under: Data loss, Featured, Privacy, Vulnerability

LulzSec message to SonyThe same hackers who recently attacked PBS.org have turned their attention back to Sony by releasing the latest dump of information stolen from Sony's websites.

While the information disclosed includes approximately 150,000 records, the hackers claim the databases exposed contain over 4.5 million records, at least a million of which include user information.

The data stolen includes:

  • A link to a vulnerable sonypictures.com webpage.

  • 12,500 users related to Auto Trader (Contest entrants?) including birth dates, addresses, email addresses, full names, plain text passwords, user IDs and phone numbers.

  • 21,000 IDs associated with a DB table labeled "BEAUTY_USERS" including email addresses and plain text passwords.

  • ~20,000 Sony Music coupons (out of 3.5 million in the DB).

  • Just under 18,000 emails and plain text passwords from a Seinfeld "Del Boca" sweepstakes.

  • Over 65,000 Sony Music codes.

  • Several other tables including those from Sony BMG in The Netherlands and Belgium.

The attackers, LulzSec, stated in their file titled "PRETENTIOUS PRESS STATEMENT.txt":

"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"

This sounds like a broken record... Passwords and sensitive user details stored in plain text... Attackers using "a very simple SQL injection" to compromise a major media conglomerate.

Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point.

Sony passwords leakedThe take away for the average internet users is clear. Don't trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.

I took a brief look at some of the information disclosed and many passwords used were things like "faithful", "hockey", "123456", "freddie", "123qaz" and "michael".

Companies collecting information from their customers have a duty to protect that information as well.

In addition to employing proper encryption to protect against theft or loss, companies should work with reputable penetration testers to validate their security plans.

Interested in some practical help with data security? Download our Data Security Toolkit.

Interested in encrypting your own personal files? Try out Sophos Free Encryption.

, , , , , ,

You might like

4 Responses to Sony Pictures attacked again, 4.5 million records exposed

  1. EddyT · 1247 days ago

    Anyone using a platform/site that is subject to SQL injection should resign, immediately. Any decent developer knows that this is the first door they should close. If you havent, then you deserve everything you get.

  2. Yo, Sony. Stop apologizing, start fixing.

  3. Jeff · 1246 days ago

    Side note: not interested in giving anyone my phone number in order to download a data security toolkit ;)

  4. carl · 1246 days ago

    The final result of such demonstrations that no system is invulnerable is escalating cost to the end user. Simple as!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.