LulzSec explains methods, encourages other hackers
Hackers say they have once again penetrated Sony’s website — and this time they’re releasing the information they found.
The hacker group LulzSec, which claimed responsibility for the takeover of PBS’ servers over Memorial Day, released a file Tuesday afternoon online that it says contains personal information for more than 1 million users of SonyPictures.com.
“We recently broke into SonyPictures.com and compromised over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth and all Sony opt-in data associated with their accounts,” the group said in a statement. “Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes’ and 3.5 million ‘music coupons.'”
“We are looking into these claims,” said Jim Kennedy, exec VP of global communications for Sony Pictures Entertainment.
Sony is just getting back on its feet after an unprecedented attack on its PlayStation Network. Personal information was stolen from over 100 million user accounts in that attack.
LulzSec, in its statement, said it lacked the resources to copy all of the information it discovered, as that would likely have taken weeks. However, it noted that the data it found through its intrusion was not encrypted — with passwords stored in a plain text file.
“Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now,” the group said. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”
LulzSec came to national attention over the weekend, when it gained control of PBS.com and posted several fake news stories, including one claiming that rapper Tupac Shakur was still alive and living in New Zealand. The group was in such firm control of the network’s operations that it even hacked PBS’ statement on the hack, replacing it with an obscenity.
The group has been threatening to attack Sony since that time with a plan it called “The beginning of the end” for the company. In its boasting of the attack, the group provided details of its methods, encouraging other hackers to steal data from the site.
Meanwhile, on Twitter, the group began requesting contributions from supporters in the form of BitCoin virtual currency, noting that the money would be used to fund additional hacking. BitCoin is a digital currency that avoids a central issuer, making it impossible to trace who has donated money to whom.
Since the PSN hacks, Sony has been the regular target of hackers. Late last month, intruders breached its sites in Canada, Thailand and Indonesia. Experts say the recent hacker attacks are akin to aftershocks following a massive earthquake. Given how prominently Sony was breached, other members of the hacking community are eager to test for other weak spots. Unfortunately, they’re finding them.
“When vulnerability is identified, there’s a lot of copycat hackers looking to come after you,” said Hemu Nigam, founder of SSP Blue, an Internet security consultant business and former VP of internet enforcement at the MPAA. “It’s almost like it’s a battle between Sony’s security companies and hackers who are saying ‘not good enough, not good enough, not good enough.'”