Sony today suffered another hacker attack, this time on its Sony Pictures website, in another blow to the already wounded company as it struggles to fortify its security networks.
The uncovered data includes user passwords, e-mail addresses, phone numbers and mailing addresses.
"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now," said the group about the ease with which it was able to break into Sony's site. "From a single injection, we accessed everything. What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it."
This attack is the latest in the rash of hacker exploits that have plagued the company ever since its initial massive data breach from April 16 to 19. Nearly 100 million users' accounts were compromised then, including credit and debit card numbers, prompting Sony to shut down its network for over a month.
Sony never got a chance to recover from the initial disaster, as aftershocks of all kinds rocked the company on a weekly and sometimes daily basis. Hackers published 10-year-old Sony sweepstakes contestants' information to a website on May 5, and then stole $1,225 in online Sony game points from May 16 to 17.
Again, on May 18, hackers targeted Sony's password reset tool just as the company was preparing to restore its systems. If all this weren't enough, Sony's sites in Greece, Canada, Indonesia and Thailand were compromised from May 25 to 26.
To date, no one knows who hacked Sony initially, though the company placed roundabout blame on the hacktivist group Anonymous. Sony was targeted with DDS, or Distributed Denial of Service, attacks after it sued one of their members for posting instructions on how to root one's PS3 console. Sony says it was too busy handling the DDS attacks in April to notice the larger breach until it was too late.
Besides paying for the attack in countless lawsuits, subpoenas, investigations and the public humiliation of having to testify before Congress, Sony must foot a $170 million cleanup bill. The Tokyo-based company has taken costly and desperate measures to polish its image, offering free games and services to its customers, plus providing insurance policies of up to $1 million for any victims of identity theft.
Today's hack also follows Sony's defense of its security systems in a Congressional hearing. The company said it waited a week to inform customers of the April attacks so it could determine the extent of the damage; still, Congress condemned Sony's tardiness. The company also insisted it has undertaken many security measures since the original hack, but today's news discredits that statement and risks hurting the company's credibility.
The hackers today left a telltale sign of their presence on Sony's Picture site, a text-based image of the Viking ship Lulz Boat, appropriately flying a LOL flag. LulzSec may still be laughing, but Sony certainly doesn't find this funny.
No comments:
Post a Comment