Options
Sony Pictures Attacked, 1 Million Users Compromised
chicmagnet2k4
Member Posts: 20 ■□□□□□□□□□
in Off-Topic
Sony reportedly suffered yet another hack attack on Thursday.
This time, a group of hackers claims to have accessed the SonyPictures.com servers and compromised personal data belonging to one million customers, which the group said it then posted in a file on its website.
Hacker group LulzSecurity, fresh off its retaliatory attack on a PBS website over a Wikileaks documentary, claimed responsibility for the Sony hack.
In a release posted on the group's website, the hackers claimed they obtained "personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts." The group also claimed that the hack "compromised all admin details of Sony Pictures (including passwords) along with 75,000 'music codes' and 3.5 million 'music coupons.'"
"The hackers published a massive amount of email addresses, user names and passwords, as well as coupon codes. Anyone that's registered on the site should be concerned their data was exposed," Jeremiah Grossman, CTO of WhiteHat Security, told The Huffington Post in an email. "This type of attacks exposes [one] of the fundamental flaws that most companies take to risk management. Focusing on securing your primary site (such as a purchasing site) leaves secondary sites exposed, and they often contain valuable customer data."
Shockingly, Lulzsec alleged that Sony left this information unencrypted and exposed to relatively elementary attacks:
Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.
While working to recover from the massive PlayStation Network hack that affected millions of customers around the world in April, Sony faced harsh criticism for the network's vulnerabilities and eventually promised that PSN security had been dramatically increased. If Lulzsec's accusations about Sony Pictures are true, Sony may have to rethink security measures for all its online properties.
Sony reportedly spent over $170 million after the PSN hack to cover the cost of identity theft insurance for customers, hacking investigators, tighter site security and more. The company even hired a Chief Information Security Officer. Even still, Sony has asserted that "no system is 100 percent safe."
"Unfortunately we should probably expect more of these types of hacks," Grossman warned.
UPDATE: According to the AP, Sony is "aware of LulzSec's claim and looking into it."
The AP also described accessing the user data posted by the hacker group online:
The data, carried in a plain text file posted to the hacking group's site, appeared to be at least partially genuine. The Associated Press called a number listed by LulzSec as belonging to 84-year-old Mary Tanning, a resident of Minnesota. Tanning picked up the phone, and confirmed the rest of the details listed by LulzSec – including her password, which she said she was changing. "I don't panic," she told the AP, explaining that she was very seldom online and wasn't wealthy. "There's nothing that they can pick out of me," she joked.
If confirmed, the breach would deal yet another blow to Sony, which suffered a massive cyber-attack in April that targeted credit card information through its PlayStation Network and Sony Online Entertainment networks. Company executives on Thursday faced questions from U.S. lawmakers over why consumers weren't informed more quickly about the breach. Over 100 million user accounts were affected and the company only recently was able to restore service.
Hackers Lulzsec Say Sony Pictures Attacked, 1 Million Users Compromised (UPDATE)
This time, a group of hackers claims to have accessed the SonyPictures.com servers and compromised personal data belonging to one million customers, which the group said it then posted in a file on its website.
Hacker group LulzSecurity, fresh off its retaliatory attack on a PBS website over a Wikileaks documentary, claimed responsibility for the Sony hack.
In a release posted on the group's website, the hackers claimed they obtained "personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts." The group also claimed that the hack "compromised all admin details of Sony Pictures (including passwords) along with 75,000 'music codes' and 3.5 million 'music coupons.'"
"The hackers published a massive amount of email addresses, user names and passwords, as well as coupon codes. Anyone that's registered on the site should be concerned their data was exposed," Jeremiah Grossman, CTO of WhiteHat Security, told The Huffington Post in an email. "This type of attacks exposes [one] of the fundamental flaws that most companies take to risk management. Focusing on securing your primary site (such as a purchasing site) leaves secondary sites exposed, and they often contain valuable customer data."
Shockingly, Lulzsec alleged that Sony left this information unencrypted and exposed to relatively elementary attacks:
Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.
While working to recover from the massive PlayStation Network hack that affected millions of customers around the world in April, Sony faced harsh criticism for the network's vulnerabilities and eventually promised that PSN security had been dramatically increased. If Lulzsec's accusations about Sony Pictures are true, Sony may have to rethink security measures for all its online properties.
Sony reportedly spent over $170 million after the PSN hack to cover the cost of identity theft insurance for customers, hacking investigators, tighter site security and more. The company even hired a Chief Information Security Officer. Even still, Sony has asserted that "no system is 100 percent safe."
"Unfortunately we should probably expect more of these types of hacks," Grossman warned.
UPDATE: According to the AP, Sony is "aware of LulzSec's claim and looking into it."
The AP also described accessing the user data posted by the hacker group online:
The data, carried in a plain text file posted to the hacking group's site, appeared to be at least partially genuine. The Associated Press called a number listed by LulzSec as belonging to 84-year-old Mary Tanning, a resident of Minnesota. Tanning picked up the phone, and confirmed the rest of the details listed by LulzSec – including her password, which she said she was changing. "I don't panic," she told the AP, explaining that she was very seldom online and wasn't wealthy. "There's nothing that they can pick out of me," she joked.
If confirmed, the breach would deal yet another blow to Sony, which suffered a massive cyber-attack in April that targeted credit card information through its PlayStation Network and Sony Online Entertainment networks. Company executives on Thursday faced questions from U.S. lawmakers over why consumers weren't informed more quickly about the breach. Over 100 million user accounts were affected and the company only recently was able to restore service.
Hackers Lulzsec Say Sony Pictures Attacked, 1 Million Users Compromised (UPDATE)
Comments
-
Options
NOC-Ninja
Member Posts: 1,403
Wow, This is so embarrassing to Sony. They lose stock and business. Im sure someone will get fired.
I wonder if they even have a 3rd party that audits them? -
Optionschicmagnet2k4
Member Posts: 20 ■□□□□□□□□□
Wow, This is so embarrassing to Sony. They lose stock and business. Im sure someone will get fired.
I wonder if they even have a 3rd party that audits them?
I would be embrassed...
-
Options
Forsaken_GA
Member Posts: 4,024
if I worked there, I'd be looking for another career. Immediately. -
Options
Xcluziv
Member Posts: 513 ■■■■□□□□□□
Forsaken_GA wrote: »if I worked there, I'd be looking for another career. Immediately.
pretty much.....fool me once shame on you, fool me TWICE, shame on me...in this case it's SONY.
I'm curious that why are they just hiring a CISO. I'm sure a huge company like Sony should have had something like this in place
I guess the CISO who was hired didn't even turn on his computer good before the next attack launched...
-
OptionsForsaken_GA
Member Posts: 4,024
Well, it's not a role that every company feels it needs, but folks are beginning to recognize the need for it. Hell, we just hired a former FBI guy as our first CISO, and we're a security solutions provider. Though to be fair, the role was previously filled by our director of corporate security who also has law enforcement experience. The hire of the CISO frees him up to function primarily in the role he was hired for, which is head of security.
-
Options
Turgon
Banned Posts: 6,308 ■■■■■■■■■□
Wow, This is so embarrassing to Sony. They lose stock and business. Im sure someone will get fired.
I wonder if they even have a 3rd party that audits them?
The top people will likely keep their jobs. They will probably scapegoat the middle management and operations people. -
Options
bertieb
Member Posts: 1,031 ■■■■■■□□□□
The top people will likely keep their jobs. They will probably scapegoat the middle management and operations people.
Or if heads do roll at the top, no doubt it'll be with a payoff significantly higher then the bods at the bottom.
I'm glad I don't work there right nowThe trouble with quotes on the internet is that you can never tell if they are genuine - Abraham Lincoln -
OptionsTurgon
Banned Posts: 6,308 ■■■■■■■■■□
Or if heads do roll at the top, no doubt it'll be with a payoff significantly higher then the bods at the bottom.
I'm glad I don't work there right now
It will be like the former CEO of HP. 'Your rubbish. Here is 50 million dollars to leave now, not sue us and keep your mouth shut. Sign here..'
They will need to fire someone to keep their jobs. I imagine the CISSP and other security certificates are coming down from cube walls rapidly. Not a good time to be pushing for approval for more security courses if you have already had some. After the shakedown it will be a good time to do that, if you still have a job of course. -
Options
tpatt100
Member Posts: 2,991 ■■■■■■■■■□
I saw the torrent they have on piratebay proving they have the info. They are talkative so hopefully law enforcement can track them down.
