It is no secret to anyone that between the dates of April 17th and 19th, still as yet unnamed hackers broke into Sony’s database and stole the personal data of more than 100 million users of Sony’s PS3 Network, Qriocity entertainment service and the online gaming network, Sony Online.
Sony claims to be using industry standard security measures and was forced to shut down their network for three weeks and revamp everything from the ground up. PlayStation Store was not back in action until the 1st of June.
It may surprise some, then, that after all of the media attention surrounding this major breach of security, that the group called "Lulzsec" is claiming to have attacked the servers yet again and say that they have walked away with unencrypted security information.
According to examples of their hacking as provided on Twitter (when challenged for proof of their claims) it looks as though they did indeed hack Sony networks and web sites, including Sony Music Belgium, Sony Music Netherlands and Sony Pictures. Lulzsec wrote, on the site of Pastebin, the following:
"We recently broke into SonyPictures.com and compromised over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes’ and 3.5 million ‘music coupons’."
The sobering claim from Lulzsec is that the group says that not only did it gain access to SonyPictures.com with a single SQL injection, but, “What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it,” (as posted online). “This is disgraceful and insecure: they were asking for it. “
While it’s probable that the general public would not agree that Sony was asking to have its customers private information compromised, it’s hard to disagree on the point about nothing being encrypted. After such an unprecedented and well publicized attack in April, one can’t help but wonder how “industry standard” doesn’t require the encryption of sensitive information. Employee and admin passwords can well be looked upon as the gateway to everything else and with customers around the world, one would think that Sony would have a vested interest in protecting their private information. That certainly seemed to be the case when considering their swift response to previous hackings.
After careful consideration, most would agree that Beth Givens, director of Privacy Rights Clearinghouse has a good point. She suggests that Sony has resorted to using industry standards for security. “If that’s true,” she says, “then perhaps it is time to re-evaluate and even go beyond such standards.” Sony’s clients all over the world can’t help but agree. In the meantime, they should change their passwords and be on the lookout for suspicious activities on their accounts and be careful not to fall for fishing scams that appear to be from Sony.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.