Well folks. Some one is losing their job after this. The LulzSec hacker group that has been boasting of hacking into Sony and stealing millions of users’ information over the last week has finally delivered. Today’s release marks the second major breach of Sony servers in two months. However, unlike the original “PSN hack” that hit Sony’s PlayStation Network, this latest attack by LulzSec has touched many different areas of Sony online including Sonypictures.com and Songbmg websites. Of course, the most telling part of this latest hack is the fact that a simple SQL injection was all that was needed. Of course, there’s not much security to be spoken of when you’re storing sensitive user information in plain text.
The full list of compromised sites
with download links for samples of the stolen information/proof:
- LulzSec Hack Summary (with links to compromised data): Pastebin
- Sonypictures.com AutoTrader user database
- Sonypictures.com Summer of Restless Beauty users database
- Sonypictures.com Sony Wonder coupons database
- Sonypictures.com Sony Wonder music codes database
- Sonypictures.com Seinfeld Del Boca Vista database
- Sonypictures.com database tables
- Sonybmg.nl database
- Sonybmg.be database
Because fully downloading the 1,000,000 user account information LulzSec had access to would have taken many more days if not weeks, the group posted download links to shorter samples pulled from Sony’s servers. With that said, while the more serious information includes scores of coupon codes, full addresses, and email accounts + passwords, we don’t see any credit card information — yet.
Seeing as how this would be another massive screw up on Sony’s part, the company must be on the verge of addressing the public, right? Wrong. In an earlier email response to the ibTimes (Sony hasn’t responded to us yet) from earlier [~2pm EST], answering questions about the claimed ongoing hack over the past week, a Sony spokeswoman said:
“We have been performing regular, thorough testing of the implemented security enhancements. After investigating further, there is no indication that the claim by [LulzSec] is accurate at the moment.”
Thus far, Sony has yet to respond to these latest developments as well. Though if Sony’s previous two months have shown us, we can almost certainly give the hackers the benefit of the doubt.
The year just went from terrible to suicidal (for Sony). Full “press release”/official statement from LulzSec after the break…
Greetings folks. We’re LulzSec, and welcome to Sownage. Enclosed you will
find various collections of data stolen from internal Sony networks and websites,
all of which we accessed easily and without the need for outside support or money.
We recently broke into SonyPictures.com and compromised over 1,000,000 users’
personal information, including passwords, email addresses, home addresses,
dates of birth, and all Sony opt-in data associated with their accounts.
Among other things, we also compromised all admin details of Sony Pictures
(including passwords) along with 75,000 “music codes” and 3.5 million “music coupons”.
Due to a lack of resource on our part (The Lulz Boat needs additional funding!)
we were unable to fully copy all of this information, however we have samples
for you in our files to prove its authenticity. In theory we could have taken
every last bit of information, but it would have taken several more weeks.
Our goal here is not to come across as master hackers, hence what we’re about
to reveal: SonyPictures.com was owned by a very simple SQL injection, one of
the most primitive and common vulnerabilities, as we should all know by now.
From a single injection, we accessed EVERYTHING. Why do you put such faith in
a company that allows itself to become open to these simple attacks?
What’s worse is that every bit of data we took wasn’t encrypted. Sony stored
over 1,000,000 passwords of its customers in plaintext, which means it’s just
a matter of taking it. This is disgraceful and insecure: they were asking for it.
This is an embarrassment to Sony; the SQLi link is provided in our file contents,
and we invite anyone with the balls to check for themselves that what we say
is true. You may even want to plunder those 3.5 million coupons while you can.
Included in our collection are databases from Sony BMG Belgium & Netherlands.
These also contain varied assortments of Sony user and staffer information.
Follow our sexy asses on twitter to hear about our upcoming website. Ciao! ^_^