Print
Have you heard the one about Sony getting hacked? Of course you have, only this time the cyber attack didn't target Sony's recently restored PlayStation Network (PSN). Instead, the hacker group known as "LulzSec" took aim at Sony Pictures and reportedly made off with personal information of more than 1 million users, as well as music codes and coupons. But hey, Sony was "asking for it," the hacker group said.
"Every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. They were asking for it," LulzSec said in a statement.
"Our goal here isn't to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now," LulzSec continued. "From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?
LulzSec posted the personal information to its website, info that included passwords, email addresses, home addresses, birth dates, and all Sony opt-in data associated with user accounts. The group also says it viewed all admin details of Sony Pictures, including passwords, and compromised 75,000 "music codes" and 3.5 million "music coupons."
"We are looking into these claims," said Jim Kennedy, executive vice president of global communications for Sony Pictures Entertainment.
Comments are closed on this article
f104chrome
June 05, 2011 at 8:25am
Sony needs to beef things up but really only some retard would think what these hackers did was ok. If it was my info I'd want some payback, I'd love nothing more than to beat the crap out of a hacker, they ruin every game worth playing and steal info personal info gee aren't they great. Punks.
iceman08
June 04, 2011 at 12:27pm
The way I look at it is, sony should have better security across the board (and making other major companies silently beefing up THEIR crappy security). But the hacker groups are being dishonorable with attacks like this. Even the original attack that led to the PSN shutdown; I can't agree with that either
Taz0
June 04, 2011 at 3:38am
I just can't believe that any respectable company is still vulnerable to an SQL injection attack AND stores passwords in plain text. I mean, most countries have laws criminalizing storing customer passwords in plain text, simply because most people use the same password for multiple website, and so compromising someone's password could compromise their entire identity.
A website (or any computer system) should NEVER EVER store a user's password (not even in encrypted form), nor should there be ANY way to retrieve the password if the whole system is compromised ("here hacker, take all the servers with all the data and try and extract even a single password"). A computer system doesn't really need to know your password to know if the password you've entered matches the one you've previously chosen. That's what (salted) hashes are for.
Being vulnerable to SQL injection is pretty pathetic. But storing passwords, and in plain text, is simply CRIMINAL (though US law is a bit behind the rest of the world in that regard). If it turns out it's true, they should be FEDERALLY PROSECUTED. Of course, revealing all that info to the wide world is also criminal. LulzSec should have just provided a small sample to prove their point.
kixofmyg0t
June 03, 2011 at 3:32pm
I'm still trying to figure out who the hell these million people are that had login id's with credit card info on Sony Pictures. Seriously. Me thinks Sony used it as bait. Think about it, even a fresh IT graduate would blow the whistle on keeping passwords stored in plain text. I personally think Sony left the door open on purpose, the 'ol bait and switch.
But then again you have to realize that Sony's divisions are seperate. The playstation division and the Sony pictures division both have the name "Sony" as owners but they arnt on the same server, or even building. The IT department of PSN has nothing to do with the IT department of Sony Pictures.
Zachary K.
June 03, 2011 at 2:50pm
*Steals guys wallet*
Its not like it was locked or anything, he was asking for it, therefor it is OK.
bling581
June 06, 2011 at 9:54am
I find it humorous how people try and compare things with simple real world examples when it's not even remotely similar. Your example is flawed because you're assuming the guy that's getting robbed is completely innocent and has never stolen from anyone else. Sony has done plenty of bad things to it's customers and if they didn't bother to tighten their security after the first hack then they really do deserve it a second time.
kixofmyg0t
June 03, 2011 at 3:12pm
don't forget that the cash in his wallet wasn't encrypted! i mean it clearly says $20 right there on the bill! In plain text! ugggh stupid idiots for not encrypting their wallets!
btw what would happen if an IED showed up on the streets of america, and blew up a school bus full of children? oh yeah they were "asking for it" since they wern't riding in a bomp proof bus. So i guess all the people in the twin towers were "asking for it" since the building didnt have its own air defensive system. Everybody thats ever been mugged, shot and killed, raped, beaten etc were "asking for it" to hmm?
The "logic" of Anon and lulzsec will be the end of the world.
TheZomb
June 03, 2011 at 10:44pm
More like showing the bottom of a security truck is made out of paper by stealing money and saying you shouldn't have transport your money. Their idiots for doing it this way, but if sony is storing personal data they need to protect it, you can whine that its the hackers fault all the time, but their not going away and it becomes your fault if you don't protect yourself against them.
Trooper_One
June 03, 2011 at 12:10pm
"Sony was "asking for it," the hacker group said."
... by that logic, one can rape pretty girls who happened to be walking down a dark alley? Or rob an elderly person in a parking lot?
Sony is a bitch ass company but there's no need to blame the victims, in this case, the customer who uploaded their data in good faith.
Supfresh
June 03, 2011 at 12:00pm
this couldnt have come at a better time, i just moved into a new house and was trying to decided whether to buy a ps3 or 360, not too hard to decide now lol.
Gezzer
June 03, 2011 at 11:46am
Yeah it does seem like the new game in town is to pile on Sony. Hopefully they and any other companies not taking the safe guarding of personal data seriously will have had their wake up call. Most likely they won't though.
I'm kind of dissapointed with Sony. You'd think after the PSN hacks they would of taken a good long look at all their data base security on all the company's sites. These sanctimonious hackers on the other hand really @iss me off. As pointed out by others poor security does not mean your "asking for it". Isn't that the same line rapists often use? Well their posting of personal data in a sense was a rape of the users.
As my dear old dad use to say "two wrongs don't make a right". Sure Sony's at fault for poor security, but the hackers are abusing the users by posting the data which is worse in my eyes.
nealtse
June 03, 2011 at 11:27am
I've lived with two separate roomates I had to get on their ass about locking the front door. Both said verbatim "I thought this was a safe neighborhood." That's right two. Sony is like them, except that they already got robbed once and just kept on as usual, but their house was full of your stuff.
tiger_shark
June 03, 2011 at 10:54am
what caught my attention first was the funny pic!
i'm happy that sony got slapped in the face again but i'm not happy why they had to post private info for everyone to see. someone who's been following tech news should know by now that sony's servers have already been raped.
they should've just post some snippets of the information they got from sony.
weengo
June 03, 2011 at 10:32am
While I don't think Sony was "asking" to be hacked...
What they are "asking" for is a headache and bad publicity by not encrypting anything when they ARE hacked.
If only there was some sort of indicator to Sony that they were going to be hacked.... <sarc>
I'm not blaming the victim but not taking protective measures against theft is just plain incompetence.
Carlidan
June 03, 2011 at 10:18am
I think them hacking Sony network and showing the there is a flaw in the secruity was legit but when they posted people's personal infomation that definetly crossed the line. They could of just show proof of the hack and warned Sony and their customers.
d3v
June 04, 2011 at 2:52am
What personal info? People always make stuff up when filling web forms. I doubt any of its true.
Kano
June 03, 2011 at 11:06am
My thoughts exactly...
"Every bit of data we took wasn't encrypted." They are so noble aren't they?!?
"They were asking for it" ...and so were those stupid customers, right?
I'm not even a user of sonypictures but, I'm furious that those POS posted the personal info of the users. They should have skipped the whole bit about making Sony look bad because the real motive is obvious... they wanted to exploit an already hurting company and make personal gain and are therefor just pathetic criminals with big heads! Why the hell are these low life hacker groups getting publicity??? That is exactly what they want.
Carlidan
June 03, 2011 at 12:00pm
I'm confused on your reply. I never said it was noble nor did I say it was the customers fault. Where did you get that from my post. I only said them hacking and finding the expliot was a good thing because sooner or later someone will. I wish it was a white hacker who had found the expliot. I also stated that what they did was wrong. Please read. Rather than rant. I said when they posted the information online, they crossed the line.
Kano
June 03, 2011 at 3:13pm
I said nothing towards you. You must not understand sarcasm, my friend. How about you read, and I'll continue to rant. :)
Carlidan
June 03, 2011 at 3:16pm
Well your post was kind of heard to understand. Rant away. I couldn't make heads or tails out of it. :)
iceman08
June 03, 2011 at 1:04pm
That wasn't directed to you, I think. That was sarcasm directed to the hackers who won't read this.
Kano
June 03, 2011 at 3:20pm
...and yes they will! I emailed them and told them to come to MaxPC and read my nasty posts about them. Oh they'll be furious... that's for sure. They'll be so furious they'll have to go physically abuse some elderly people just to feel good again. (note the sarcasm) geeze...
iceman08
June 03, 2011 at 1:04pm
That wasn't directed to you, I think. That was sarcasm directed to the hackers who won't read this.
bling581
June 03, 2011 at 10:13am
It's good to know that you can't trust Sony with anything even semi-important.
TerribleToaster
June 03, 2011 at 9:57am
So because it was easy, "they were asking for it"?
By that logic, I should go out and take candy from babies.
It's easy, so they must be asking for it, right?
On a side note, Sony can no longer disappoint me as my expectations have been set to zero. Glad I was iffy over getting a PS3, probably saved me a lot of hassle.
kixofmyg0t
June 03, 2011 at 9:32am
who the hell has a login for Sony Pictures? But beside the point, i'm not sure if i believe this one.
Iglidden
June 03, 2011 at 9:31am
IMO Sony has an obligation to protect the personal information of their users and they are simply not living up to their obligation. The fact that they can be hacked by something as simple as a SQL injection attack means that they are not even tring to protect NPI data in some of the most simple ways.
I would be interested to see the diclaimer Sony sends out when you supply them your personal informaiton.
Neufeldt2002
June 03, 2011 at 8:44am
My files on my computer are not encrypted, guess I am asking to be hacked.
DDRDiesel
June 03, 2011 at 9:14am
Thanks for the tip!
(I'm in your computer right now, nice pr0n, bro!)
TommM
June 03, 2011 at 8:19am
Buncha losers. Pretty high and mighty of them to act as judge, jury and executioner to serve their own petty purposes.
siramic
June 03, 2011 at 9:49am
That was my thought too, do they think thay are providing a "service" to show the flaws of websites, and in this case, Sony. Will LulzSec next be asking to receive compensation for thier services? I believe Google paid $20k to anyone who could hack a newer version of Chrome, but that is a whole different story than this.
tony2tonez
June 03, 2011 at 7:58am
if these guys are so good why not hack the pentagon and get some some pics of Bin Ladens Body? Steeling people private information does not win friends. Only turns the population against them.
DDRDiesel
June 03, 2011 at 9:13am
They said themselves that they are not Master Hackers. They did this to prove that any script kiddie with enough patience could have parsed all the unencrypted information from Sony. Am I saying that I am in favor of LulzSec? Hell no. But I'm just trying to bring some light to what happened. It sucks that Sony got hacked so many times, they really are a great company that produces great products (inb4PS3sux, I am not a PS3 fanboy), and they just happened to become this year's target.
Also, for the record, I am neither supporting Geohot, nor the hackers responsible. I think it's terrible what's going on right now. Let's not forget that Japan is still facing a potential nuclear disaster, and are still recovering from the destruction caused by the earthquakes and tsunami
