Sony slammed over new data breach

The Associated Press | Posted: June 3, 2011 5:44 AM | Last Updated: June 4, 2011

Passwords unencrypted, says hacker group that posted them online

Yet another massive data breach at Sony has left hackers exulting, customers steaming and security experts questioning why basic fixes haven't been made to the company's crisis-stricken cybersecurity program.

Hackers say they managed to steal a massive trove of personal information from Sony Pictures' website using a basic technique which they claim shows how poorly the company guards its users' secrets. Security experts agreed Friday, saying that the company's security was bypassed by a well-known attack method that could easily have been prevented.

"Any website worth its salt these days should be built to withstand such attacks," said Graham Cluley, of web security firm Sophos.

Coming on the heels of a massive security breach that compromised more than 100 million user accounts associated with Sony's PlayStation and online entertainment networks, Cluley said the latest attack suggested that hackers were lining up to give the company a good kicking.

Image | mi-sony-apology-300-0060027

Caption: Sony CEO Kazuo Hirai, centre, bows in apology along with two other executives in Tokyo on May 1 regarding a security breach in April. (Shizuo Kambayashi/Associated Press)

Open Image in New Tab

"They are becoming the whipping boy of the computer underground," he said.

Culver City, Calif.-based Sony Pictures has so far declined to comment beyond saying that it is looking into the reported attack — which saw many users' names, home addresses, phone numbers, emails, and passwords posted to the web.

It wasn't clear how many people were affected. The hackers, who call themselves Lulz Security — a reference to the internetspeak for "laugh out loud" — boasted of compromising more than a million users' personal information — although it said that a lack of resources meant it could only leak a selection to the web.

Statement from LulzSec

The group LulzSec posted a press release about the Sony breach on its website. Below are excerpts:

"We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 'music codes' and 3.5 million 'music coupons.'...

"Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"

The group ridiculed Sony for the ease with which it stole the data, saying that the company stored peoples' passwords in a simple text file — something it called "disgraceful and insecure."

Several emails sent to accounts associated with the hackers as well as messages posted to the microblogging site Twitter were not returned, but in one of its tweets Lulz Security expressed no remorse.

"Hey innocent people whose data we leaked: blame Sony," it said.

Sony's customers — many of whom had given the company their information for sweepstakes draws — appeared to agree.

Tim Rillahan, a 39-year-old computer instructor in Ohio, said he was extremely upset to find his email address and password posted online for "the whole world to see."

"I have since been changing my passwords on every site that uses a login," he said in an email Friday. "Sony stored our passwords in plain text instead of encrypting the information. It shows little respect to us, their customers."

He and others complained that they had yet to hear from the company about the breach, news of which is nearly a day old.

John Bumgarner, the chief technology officer for the U.S. Cyber Consequences Unit — a research group devoted to monitoring internet threats — was emphatic when asked whether users' passwords could be left unencrypted.

"Never, never, never," he said. "Passwords should always be hashed. Some kind of encryption should be used."

Bumgarner, who's been critical of Sony's security in the past, said the company needed to take a hard look at how it safeguards its data.

"It's time for Sony to press reset button on their cybersecurity program before another incident occurs," he said.

LulzSec recently claimed responsibility for hacking the website of the PBS television network to post a fake story in protest of a recent Frontline investigative news program on WikiLeaks.

Sony data breaches timeline

April 16-17: Hackers break into Sony Online Entertainment.
April 17-19: Hackers break into Sony PlayStation Network and Qriocity.
April 19: Sony detects an "external intrusion" on its PlayStation Network.
April 20: Sony shuts down the PlayStation Network and Qriocity.
April 22: Sony says the networks are affected by "an external intrusion" and that it is investigating.
April 26: Sony announces that it believes "an unauthorized person" has obtained personal data of PlayStation Network and Qriocity users.
May 1: Sony Computer Entertainment executives apologize for the breach at a press conference in Tokyo.
May 2: Sony says Sony Online Entertainment was also affected by a malicious intrusion.
May 4: Sony provides details of its investigation to a U.S. Congressional subcommittee.
May 5: Sony CEO Howard Stringer apologizes and offers free identity theft insurance coverage to U.S. customers.
May 14: Sony starts restoring PlayStation Network services.
May 16: Sony details 'welcome back' freebies such as games for PlayStation Network customers.
May 18: Sony temporarily suspends its password change website after discovering a potential security issue. Meanwhile, the company discovers a security breach at its So-net Entertainment Corp. unit, a mobile internet service provider in Japan.
May 23: Sony says it expects an annual loss of $3.1 billion following the tsunami in Japan and the hacker attacks on its online services.
May 24: Sony says it has found a security breach affecting 8,500 accounts of a music entertainment website in Greece.
May 25: Sony says another security breach may have exposed the information of 2,000 Sony Ericsson customers in Canada.
June 1: Sony announces that the PlayStation store is back online.
June 3: A group of hackers called LulzSec says it broke into the Sony Pictures website and compromised the information of 1 million users. The hackers post the data, including passwords, online.