backtop


Print 60 comment(s) - last by BansheeX.. on Jun 7 at 8:01 PM

Another day, another SQL injection exploit

Just when Sony appeared to be getting back on the right track with the full restoration of its PlayStation Network, LulzSec struck again hitting Sony right between the eyes. The group once again used an SQL injection tactic to gain access to the Sony Pictures account database.

This time around, LulzSec manage to obtain:   

  • 1 million user accounts (including passwords, email and home addresses, and data of birth)
  • All admin account details and passwords
  • 75,000 music codes
  • 3.5 million music coupons

In addition, there was even opt-in data that was accessible, which gives even more information about Sony's customers and their preferences.

The part that amazes LulzSec (and us for that matter) is that fact that Sony stored all 1 million user passwords in simple plain text files -- no encryption whatsoever was used. "It's just a matter of taking it," stated LulzSec in a press release. "This is disgraceful and insecure: they were asking for it."

The group went on to express its disdain for Sony and its security practices (or lack thereof): 

Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? 

LulzSec has provided evidence of their latest "Sownage" on its site, which can be accessed here.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Yep
By dagamer34 on 6/2/2011 7:56:33 PM , Rating: 4
If they ever catch these idiots, expect some jail time.

Just because a company has shitty security doesn't give you the right to hack it for lulz (pun intended).




RE: Yep
By 2bdetermine on 6/2/2011 8:26:19 PM , Rating: 4
Talking about “idiots” if the company are so competent, these idiots wouldn’t be able to compromise they system in the first place.


RE: Yep
By Reclaimer77 on 6/3/2011 1:00:31 PM , Rating: 4
quote:
Talking about “idiots” if the company are so competent, these idiots wouldn’t be able to compromise they system in the first place.


That's not a valid argument, sorry. If I think the locks on your house aren't good enough, that doesn't give me the right to bash them in and break into your house.


RE: Yep
By geddarkstorm on 6/3/2011 5:27:47 PM , Rating: 1
If you leave the keys to your car in the ignition and the engine running, then you are also held responsible if it gets stolen. Insurance sure won't pay you a dime, as the blame is equally on you.

What Lulz is doing is forcing Sony to actually use the most basic, simplest security measures to protect consumers; before someone with nefarious intents actually come along and take that information. If it hasn't happened already.


RE: Yep
By jkostans on 6/2/2011 8:30:12 PM , Rating: 5
Well I'm glad they are at least opening the eyes of people who blindly trust these companies with their private information.


RE: Yep
By danobrega on 6/2/2011 8:40:53 PM , Rating: 3
If they were real idiots, they would steam the information and not leave a trace. Then they would use the info to profit at the Sony's consumer expense.

All they did was expose Sony's faults.

The question is:

What if the data been stolen BEFORE without anyone knowing about it?!


RE: Yep
By Motoman on 6/3/2011 9:19:24 AM , Rating: 3
Ding ding ding!

These guys are doing this to show the world how stupid Sony is...we have no reason to believe that someone else didn't already hack Sony and just not tell us about it.


RE: Yep
By TSS on 6/2/11, Rating: 0
"Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people." -- Rep. Christopher H. Smith (R-N.J.)














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki