The same hackers who recently attacked PBS.orghave turned their attention back to Sony by releasing the latest dump of information stolen from Sony’s websites.
While the information disclosed includes approximately 150,000 records, the hackers claim the databases exposed contain over 4.5 million records, at least a million of which include user information.
The data stolen includes:
- A link to a vulnerable sonypictures.com webpage.
- 12,500 users related to Auto Trader (Contest entrants?) including birth dates, addresses, email addresses, full names, plain text passwords, user IDs and phone numbers.
- 21,000 IDs associated with a DB table labeled “BEAUTY_USERS” including email addresses and plain text passwords.
- ~20,000 Sony Music coupons (out of 3.5 million in the DB).
- Just under 18,000 emails and plain text passwords from a Seinfeld “Del Boca” sweepstakes.
- Over 65,000 Sony Music codes.
- Several other tables including those from Sony BMG in The Netherlands and Belgium.
The attackers, LulzSec, stated in their file titled “PRETENTIOUS PRESS STATEMENT.txt”:
“SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”
This sounds like a broken record… Passwords and sensitive user details stored in plain text… Attackers using “a very simple SQL injection” to compromise a major media conglomerate.
Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point.
The take away for the average internet users is clear. Don’t trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.
I took a brief look at some of the information disclosed and many passwords used were things like “faithful”, “hockey”, “123456”, “freddie”, “123qaz” and “michael”.
Companies collecting information from their customers have a duty to protect that information as well.
In addition to employing proper encryption to protect against theft or loss, companies should work with reputable penetration testers to validate their security plans.
By Chester Wisniewski on June 2, 2011