Hackers Publish Confidential Information Taken From Sony

Just as the PlayStation Store comes back online and we start to think this hacking fiasco may finally be in the rear view,  this bit of info comes up. Apparently, a hacking group by the name of ‘LulzSec’ has published information from over 1,000,000 accounts that they took from Sony Entertainment and Sony BMG websites.

Even worse than what they took is apparently how easy it was for them to take it. According to them, none of the information they acquired was encrypted.

– ARTICLE CONTINUES BELOW –

This is what the group had to say after they carried out the process.

“Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”

LulzSec promised yesterday that they would publish some of the information they took from said websites. While we’re not going to link the information for obvious reasons, we can verify that there is a page on their site that’s packed with e-mail addresses, passwords and other various data (though it’s likely already been taken down).

Although they’re obviously taking full credit for this particular incident, they’ve also claimed that they’re not the ones responsible for the PSN attacks from April.


Update: We did some additional digging and found ‘Lulzsec’s’ original statement about this situation. Apparently, despite what was originally reported, it looks like only a small sample of the account information supposedly taken was published on the web. Below is another small excerpt from their statement.

“We recently broke into SonyPictures.com and compromised over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts…

Due to a lack of resource on our part (The Lulz Boat needs additional funding!) we were unable to fully copy all of this information, however we have samples for you in our files to prove its authenticity. In theory we could have taken every last bit of information, but it would have taken several more weeks.”

To clarify, they’re claiming they did compromise information from over a million accounts, but only a small sample was published online.

– PAGE CONTINUES BELOW –

47 Comments

  1. One has to wonder what is their goal to come across as? I can’t think of any polite words…

    • Why do you need to be polite at a time like this?

  2. Just who do they think they’re helping with this?

    • I guess they’re just trying to attack Sony without getting gamers in the crosshairs, since gamers can get slightly angry at losing PSN access apparently…

      I mean, there’s obviously still innocent folks affected by this, but I don’t see that many people really caring about their Sony BMG accounts, it’s more just further embarrassment for Sony.

    • They are trolls, so they don’t need a reason.

      They are even asking for donations, so it’s pretty obvious that they are only doing this for them self and to gain “fame”.

      Kids, ignore and move on. Let Sony and hopefully the feds deals with these loosers.

  3. Honestly, how hard is it to click on update?

    • If you read the details of the attack, you will see this is completely unrelated to keeping their server updated. And having to click “update” is a slightly naive understanding of how massive web systems work.

      • SQL attacks, Apache attacks, php flaws, htaccess flaws, can all be fixed by running updates. May be not hit update, it could be ‘sudo apt-get udpate all’.
        Even my tiny home servers run updates every night, even with a huge cluster they can schedule updates and balance load so the whole system doesn’t collapse.

      • Yep, this is nothing to do with ‘updates’ and more to do with sanitising the URL querystrings. If Sony left them completely open and allowed anyone to get right into the database then that’s mental.

      • Okay, I stand corrected. I was reading something different.

        But, yeah, it’s still a silly mistake to make.

    • SQL injection attack wouldn’t be fixed by an update, Sony need to rewrite code.

  4. *Sigh*
    Surely these people could be trying to prove a point where it really matters. There’s so much good people could be doing and they still think attacking companies like Sony is top priority. It really goes to show what being blinded by the four walls of your bedroom does to you. THIS is our biggest problem at the moment. Not poverty, not famine, not global warming, but some sodding hackers who feel they’ve been wronged by a multinational corporation.

    http://www.youtube.com/watch?v=q5mLjKI968g

    • “THIS is our biggest problem at the moment. Not poverty, not famine, not global warming, but some sodding hackers who feel they’ve been wronged by a multinational corporation.”

      You really need a reality check. Seriously. Comparing poverty and famine to hacker attacks on Sony’s out of date systems? Why not just go the extra mile and compare it to the Holocaust.
      I think people like YOU are our biggest problem right now.

      • You should re-read the fella’s post, I do not believe he’s seriously saying that.

      • Must have slipped under my sarcasm radar then… I really hope he wasn’t serious…

  5. And everyone wonders why we’re not travelling around on space boards yet. If companies didn’t have to spend the amount time and money they do on security maybe we’d have a better product, not just from Sony but from every company.

    This isn’t particularly related to this incident, just hacking in general.

    • How much money does it cost to get someone to click or run update on there systems? If it’s lots, I’ll do it.

      • arms-maker Lockheed Martin will tell you different. even if Sony had great security do you think they would say?

      • No they wouldn’t but neither do banks and they are a bigger prize and deal with this everyday.

        It’s becoming increasingly apparent that the tools hackers used to launch these attacks are free on the internet. There is even a database of exploits anyone can look at to check for potential holes. Microsoft, Adobe, Apple all check these. Another thing the afor mentioned do is pay hackers to have a go at there stuff. There are also hackers who run regulated companies that can be hired to test any networks for holes.

        All the tools and people are there and yes Sony aren’t the only ones under attack but with the spotlight on them, surely they aren’t being proactive enough,

      • My point isn’t to do with clicking on some update button. My point is that if 80% of the worlds population weren’t total numb-skull mindless retards, we would live in a better place.

        A place where security wouldn’t be needed, because everyone would have the sense to see the bigger picture. The sense to see the nice things that the world could have.

      • Maybe I went a little overboard with 80% – lets just narrow it down to hackers and dimwits.

      • Wait, you want to live in Cuba?

        The problem is the trust we have in others to protect us using there lacking security.

  6. so uninteresting hackers find something better to do with your time ffs no one cares about your I can hack Sony cause.

  7. Seriously, what’s wrong with these guys?! Do they ever think before acting? Morons.

  8. Hello Sony Corp,

    Allow me to introduce you to the ‘update software’ button, you seem to have never met, despite all the attacks over the past month or so.

    Surely a company who takes the protection of customer data extremely seriously (your words) would ensure that everything is up to date and protection is in place to prevent, or at least hinder code injections.

    This really is basic stuff, again.

    I can only assume the protection of customer data is a PR lie/piece of spin and you really couldn’t give two hoots.

    I’m not sure I had a shred of confidence, regarding security, left in your organisation but if I did, I’m now absolutely certain it’s 100% gone.

    According the article on the Beeb, the group say that all million accounts had their passwords held in clear text and weren’t hashed or encrypted in any manner.

    Given the volume of attacks over the past month… at least 5 of them successful, probably a few more unsuccessful it’s not like these hackers could have caught you by surprise. Your organisation has been under attack for weeks, if not longer all servers with customer details on should have been looked at and all OS, software & security updated and of that couldn’t be done, then taken offline for maintenance.

    The apathy Sony show towards protection of people’s details is staggering and shameful.

    Hackers are asshats, Sony seem to be far beyond that…

    • It’s funny really, I just don’t understand how it keeps happening, do they have anyone working in their IT departments?

      I didn’t go to a particularly well known Uni, but they would send you an email every two weeks or so saying something along the lines of “the network will be going down for 5 minutes on Saturday at 22:23 while we update stuff”. And that place didn’t have a hacker target on their backs, they did it to protect our information just in case. It’s just, professional, I mean how often can you really call Sony’s conduct professional?

      How does an electronics company fail so hard compared to… well, anyone? Do they seriously have a smaller security team than some random Uni?

    • all you no is what these hackers say if you believe people who hide away that is up to you. I do not believe anything they say when there on a hate Sony campaign.

      • plus half the crap on the last hacker stories that came out were complete lies saying it was outdated software & things when later it was proved that was all lies but you lapped it up then as well.

      • So you think that they’re lying when they say that they’re not master hackers?

        As they say, SQL injection attacks are very common, in fact the mySQL site was recently hacked using SQL injection, which I think is pretty funny.

      • You can’t really blame anyone for lapping up the out-of-date software story. It was said in Congress and I really didn’t believe anyone would lie to Congress.

      • how would I or you no unless your in there team of hackers they could make up as much crap as they want.

      • But do you believe anything Sony says after all the fails they went through regarding the security of customer information? It’s blind faith that keeps Sony from getting their act together.

  9. This has NOTHING to do with games. They hacked Sony Pictures’ website, which, of course is run separately from the gaming division. Sure, if you want to post juicy stories (however off-topic they may be) and attention-seeking headlines, go ahead – that’s your pejorative – but it kind of reeks of sensationalism.

    • Sony Computer Entertainment
      Sony Online Entertainment
      Sony Pictures
      There’s a pattern here.

      Okay, yes, it may be a different company but given this a site mainly for Sony PS3 users then it’s likely that brand loyalty will spill into other Sony products. I for one have registered my details through BD-Live on a Sony Pictures Bluray.

    • kinda agree why is this story even on here.

    • maybe it’s here because somebody thought it would be of interest to the community here.
      as it deals with yet more hacker attacks on sony i would have to agree.
      most of us on here use sony products so any information about their security would be important information i believe.

      but i have to question the stated motives of the hackers.
      they’ve proven they don’t give a toss about anybody else by publishing the information they stole.
      they can draw attention to the fact sony security might still be lacking in some areas without compromising the accounts of innocent users.
      but no, they chose this way.

      the benevolent hacker, out to protect the people is starting to look more and more like a fairytale

  10. Is there any solid proof of this. Hackers are all losers. Fact.

    • Yes, there’s plenty of proof. Whatever you think of hackers, this is an example of terrible security on behalf of whoever did Sony’s site.

      • How about you READ the proof Nofi. I’m pretty (self censored expletive) mad at TSA right now for not even taking the time to fact check (AGAIN).

        They DID NOT, I repeat DID NOT “Publish(ed) information from over 1,000,000 accounts that they took from Sony Entertainment and Sony BMG websites.”

        If you bothered to read the statement made by LulzSec, and then actually LOOK at the data they have/released, you would see they they only allegedly grabbed a sample of the data (61,600 users to be precise). Here is their “explanation”:

        “We recently broke into SonyPictures.com and compromised over 1,000,000 users’
        personal information…”

        “Due to a lack of resource on our part (The Lulz Boat needs additional funding!)
        we were unable to fully copy all of this information, however we have samples
        for you in our files to prove its authenticity. In theory we could have taken
        every last bit of information, but it would have taken several more weeks.”

        Note the key words here: “In theory”

        Here is something I posted on another forum which I think is apt here. It would be nice if after consideration, TSA could amend the original article. This is RUMOUR and nothing more.

        ————-

        Allow me to play devil’s advocate for a few minutes…

        These LulzSec guys have been banging on for a while now how they are out to hurt Sony, but to be honest I’ve been through their site and I’m not convinced this whole thing isn’t just an elaborate ruse. If they want to hurt Sony, they don’t actually need to steal data at this point, they just need to convince people they have – which in the current climate is pretty easy. Nobody I’ve seen, including all the sites reporting on this, has asked the question “Can you prove it?”.

        Of interest, I took one of the databases they released with names, addresses etc and randomly tried three names in google. All of them had corresponding hits with matching addresses, ie: the data was already publicly available. How do we know (for instance) that these LulzSec clowns haven’t just compiled a list of details by trawling these sites, then released it as “stolen Sony databases”? It would certainly be easy enough to do for them, and to the casual observer you have no real way of knowing if these lists are 100% real, 50% real or completely fabricated. I don’t doubt they are smart enough to write scripts to randomly generate convincing passwords based on inputted data (email address, real name etc).

        LulzSec have already said they didn’t do the PSN hack, and Sony has only admitted to having the PSN hacked, not all these other sites. When Sony come out and confirm the sites were hacked and user data was actually stolen, then I’ll believe LulzSec. Until then, I’ve no reason to believe we’re not all just being punk’d.

        One more thing, complex passwords. Take for example this alleged sample list of stolen email addresses and passwords, there are four (4) complex passwords in a list of over 21000 email users. People might be dumb, but 4 in 21000? Seems pretty light on to me. Try harder LulzSec.

        I’m not ruling anything out at this point, but I remain skeptical of everything at the moment – particularly ‘claims’ by these groups looking to big note themselves.

        Oh, and one last, and VERY important point.

        THEY HAVE NOT RELEASED 1,000,000 USER DETAILS. This is being completely incorrectly reported by news outlets. LulzSec claim they ‘compromised over 1,000,000 users personal information’, but they do on to say they didn’t have the time or money to actually get it all (yeah right), so instead they got a ‘sample’ to prove it. If you look at their claim specifically, they say they got 61,600 user details, well and truly a small enough number to manually fabricate. Further more, whilst I haven’t yet done a comparison of the various text files for duplicates, I did some quick checks and found several duplicates email/password combos in supposedly different databases – it could be legit, or it could be LulzSec padding the lists quickly to make their claim seem more believable.

        The more I think about it, the more this looks like completely bullshit. If their goal was to sucker everybody in and damage Sony’s rep further – mission accomplished. The Jury is still out on this one.

        —————

        Think for yourselves for once people, you don’t have to blindly believe everything just because Gizmodo or TSA tell you it’s true. If you want to see the source data, it’s still up – just google it. Prove to yourself just how BS it is.

      • Thank you.

Comments are now closed for this post.