The never-ending Sony hackathon – this time it’s Sony Pictures

Wow, will the hacking of Sony ever stop?

One has to wonder, because every time we turn around lately some other division of Sony is getting hacked. The newest attack, against Sony Pictures, was launched by a group called LulzSec and they aren’t being the least ways shy about their success.

In a simple text file titled “Pretentious Press Statement.txt” the group had this to say about the hack:

“SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”

So what did they get away with this time?

Well:

  • A link to a vulnerable sonypictures.com webpage.
  • 12,500 users related to Auto Trader (Contest entrants?) including birth dates, addresses, email addresses, full names, plain text passwords, user IDs and phone numbers.
  • 21,000 IDs associated with a DB table labeled “BEAUTY_USERS” including email addresses and plain text passwords.
  • ~20,000 Sony Music coupons (out of 3.5 million in the DB).
  • Just under 18,000 emails and plain text passwords from a Seinfeld “Del Boca” sweepstakes.
  • Over 65,000 Sony Music codes.
  • Several other tables including those from Sony BMG in The Netherlands and Belgium.

I think that anyone who has done business online with Sony should immediately change whatever passwords they were using and then maybe think twice about doing nay further business with a company that obviously doesn’t have a clue about even the most basic of web security standards.

via Naked Security – Sophos