updated 05:30 pm EDT, Thu June 2, 2011
Lulz Security hits Sony again in security message
Sony was embarrassed again on Thursday after Lulz Security posted that it had successfully hacked Sony Pictures' website. It lived up to its earlier promise and used a basic SQL injection attack to expose one million users' personal data, 3.5 million digital coupons and 75,000 music codes. The hacking team found that the information had few defenses and that none of the data, even including passwords, were stored in clear text.
Not all of the information could be taken due to resources and time, LulzSec said. As evidence, though, it posted a selection of what it had as evidence, including databases for related sites like AutoTrader, the coupons and codes, and the plain login information for some of the database. Administrator data was compromised both at the US site as well as from Belgium and the Netherlands.
LulzSec, which doesn't pursue hacks for commercial gain, cast itself as doing both Sony and the public as a favor. The move would push Sony to lock down its security more thoroughly across its sites. For end users, it was a warning as to how easily compromised Sony's sites were even after the PSN hack and several follow-ups from different sources.
"From a single injection, we accessed EVERYTHING," the team said. "Why do you put such faith in a company that allows itself to become open to these simple attacks?"
Sony hadn't responded to the breach as of Thursday but was ironically due to testify at a Congress hearing the same day on its security practices.