Blame “LulzSec,” the hacker group claiming responsibility for the recent PBS web hack. In a note attributed to the outfit, LulzSec claims it “recently broke into SonyPictures.com and compromised over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts.”
“Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes’ and 3.5 million ‘music coupons’.”
The group claims it “could have taken every last bit of information, but it would have taken several more weeks.”
Those music coupons are now trafficking on The Pirate Bay, reports BoingBoing (though anyone using one would have to be pretty brain-addled).
The putative LulzSec note goes on to rub it in, claiming the group wanted to show how SonyPictures.com “was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities.” The group says a “single injection” allowed it to access “everything,” including what it claims were “1,000,000 passwords of [Sony] customers [stored] in plaintext.”
“Why do you put such faith in a company that allows itself to become open to these simple attacks?” asks the group.
Assuming any of this is true, reprehensible as the attacks are, you have to admit the group has a point: Why hasn’t Sony secured its perimeters company-wide by now?