Hacker group LulzSec claims to have successfully hacked SonyPictures.com, managing to gain themselves access to user accounts including passwords, e-mail addresses, full home addresses, and date of birth.
On top of that, Sony Pictures accounts also have a number of opt-in features that contain further information about each user depending on what each signs up for. LulzSec state all of that detail was available to them. They also managed to get the details of all admin accounts for the website.
But unfortunately, the pain for Sony doesn’t seem to stop there, though. 75,000 music codes and 3.5 million music coupons are thought to have been taken. We believe these are codes that allow you to purchase Sony music tracks at a discounted price, or in some cases even for free.
The most shocking and possibly damning thing revealed by this hack is the fact that Sony stored all the Sony Pictures account passwords in plain text. No encryption means no work for the hackers, beyond gaining access to the server.
This is an excerpt from a post by LulsSec on Pastebin.com
Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?
What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.
This is an embarrassment to Sony; the SQLi link is provided in our file contents, and we invite anyone with the balls to check for themselves that what we say is true.
This is sure to cause yet more upset for Sony in the press and with users. It also means they have millions of codes to mark as unusable on their system asap.
No comments:
Post a Comment