Another week, another data breach at Sony – a hacking group claims it has broken into several Sony Pictures websites and accessed unencrypted personal information on over 1 million people.
In a statement released yesterday, the LulzSec group claimed it had also managed to compromise all admin details, including administrator passwords, as well as 75,000 music codes and 3.5 million music coupons from Sony networks and websites.
The group has publicly posted a full list of compromised sites, along with links to documents containing samples of what it claimed was material stolen from Sony.
The compromised databases included one that appeared to contain information belonging to people who participated in a promotional campaign involving Sony Pictures and AutoTrader.com, as well as another involving a Sony-sponsored Summer of Restless Beauty campaign.
Also compromised in the break-in, according to LulzSec, was a Sony music codes database, a music coupons database, and databases from Sony BMG Belgium & Netherlands.
The compromised databases contained “varied assortments of Sony user and staffer information,” the group said. “SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING.”
“What’s worse is that every bit of data we took wasn’t encrypted,” the group claims. “Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it.”
LulzSec said that it had copied and published only a relatively small sample of the information it had managed to access because it did not have the resources to download everything. The group said that in theory it could have “taken every last bit of information,” but that would have taken weeks.
The group posted a link to the SQL injection vulnerability it had exploited and invited anyone to verify it personally. “You may even want to plunder those 3.5 million coupons while you can.”
The breach follows the high-profile hack attack on two of Sony’s online networks, resulting in the personal details of over 100 million customers being compromised. It triggered a major backlash from customers and the authorites.
Related stories:
Sony refuses to take blame for hack
Sony: ‘Anonymous’ sparked hack
EU chief sticks the boot into Sony
