Story updated 5-June-2011: Information on the SonyPictures.RU attack can be found at the end of the post.
By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.
The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.
SQL injection flaw? Check. Plain text passwords? Check. People’s personally identifiable information totally unprotected? Check.
Idahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: “I was Bored and I play the game of the year : ‘hacker vs Sony’.” He posted the link to pastebin with the simple note “Sony Hacked: pastebin.com/OMITTED lol.”
If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.
A great resource with detailed information on how to protect against SQL injection attacks is available at codeproject.com.
You can also download our free technical paper Securing Websites.
Update: In addition to the attack detailed above, the hacking group known as LulzSec has compromised SonyPictures.RU through another SQL injection flaw. No personal information was disclosed in the attack; it appears to have been designed just to continue to point out security flaws in Sony’s infrastructure to create PR problems for the media giant. In the note, LulzSec left a message: “In Soviet Russia, SQL injects you…”
I love the name he is using. "Idahc" is "Chadi" backwards, which is the French (and Lebanese) way of writing "Shadi", a common Arabic name
That is kind of clever. So simple, but captures so much. Plus Idahc almost looks like a typo for "Idaho". Thanks for pointing that out.
congrats, you figured out a name. now what?
maybe if you could figure out how to trace a location from an ip ppl wouldn't make fun of you
Is it now a global open season on Sony hacks? Not sarcastic, seriously.
It seems like a kind of momentum e.g. even every auto-generated related story on Naked Security's site reads accordingly:
"Sony Canadian e-commerce site hacked"
"Sony Greece latest hacked site"
"Sony credit details encrypted" maybe
and of course the hack du jour story
"Sony hacked by Lebanese hacker again"
At which I shouldn't laugh. But the headline is catchy. Will 13 be the end of the run? I guess Sony would like to know the answer to that too.
Oh wow, someone really despises Sony.
buy an xbox 360 and forget these problems!!
if you think microsoft doesnt have any security flaws your’re very nieve
Yah….but microsoft doesn't sue hackers, they usually hire them….
Hire someone who RELEASED the usernames/passwords of the database. What a great idea, let him release internal company documents. Microsoft gets thousands of exploits sent to them privately, then the exploits get patched. Otherwise we have a 0-day.
Take a shop lifter, steals from your store every day. Knowing this, would you hire him?
but Microsoft doesn't have haters like Sony…. that what I think 🙂 .
So it breaks in a month? Great idea!
I think I'll just stick to my PC and forgo 'classics' like Gears of War and other games I'm not missing at all.
Who knew Sony would be the champion of Open on the internet, its less private than Facebook, that must annoy Zuckerberg 🙂 LOL
The funny side is that there was a one security company that was giving demo of their product and 'SONY" was one of their customer who were more secured cause of their product. I chuckled at it and told them that you shouldnt be showing Sony to your prospective customers any more….. and then there was silence in the room for quite some time…
Author, can you confirm that 13 number? Can you count all those 13 here? Thanks!
1. Anonymous/DDoS
2. PSN(77 Mil)
3. SOE (25 Mil)
4. SOE 12,700 "old database from 2007"
5. PSN password reset hacks/flaws
6. Sony Music Indonesia
7. 2500 Sweepstakes records from 2001
8. SO-Net
9. Sony Music Greece
10. Sony Music Japan
11. Sony Ericsson Canada
12. Sony Pictures
13. Sony Europe
The hackers are attacking Sony for what they are doing to geohot. Google "Sony geohot" for more details
That was only the reason why anonymous DDoS'ed em.
The Sony music things were 4 the YouTube garbage…
Ans some of them were just 4 fun.
It isn't just Geohot, A hatred for Sony has been growing for years due to their anti consumer policy's and actions, here are a few of their highlights.
Suing Jon Lech Johansen aka DVD-Jon for creating DECSS used to remove the Content Scrambling System (CSS) DRM from DVD's.
Suing Lik-Sang and forcing them to close.
Suing jailbreak manufacturers and retails of PS-Jailbreak devices such as ozmodchips.
Suing Graf Chokolo for his work on reversing the PS3 hypervisor and bringing back Linux.
Suing team fail0verflow aka team-twiizers for pointing out PS3 security flaws.
Sending threatening emails to to PS3 CFW users.
The list could go on forever, they have basically pissed off the homebrew community, hacking community and warez community for many years and people are finally retaliating.
Good for the people, Screw you Sony!
You forgot one quite important thing in that list, Sony included a rootkit on their CDs a few years ago. that’s gotta be one of the biggest nails in their PR-coffin…
you forgot stealing OtherOS from their customers in the first place. Everyone who bought a Phat PS3 paid for it…
SQL injection only? LOL
their programmer come from ancient time tech?
I wish the hackers would just find another toy on another planet in another galaxy. This is going to get as annoying as LIGATT was…