facebook rss twitter

Sony pictures loses 1,000,000 passwords

by Hugo Jobling on 3 June 2011, 11:21

Tags: Sony (NYSE:SNE)

Quick Link: HEXUS.net/qa57l

Add to My Vault: x

Not a pretty picture

Sony's internal review of its security seemingly isn't being varied out fast enough, as yet another attack - this time against SonyPictures.com - has lead to the leak of over one million records, including names, addresses, email addresses, phone numbers and unencrypted passwords.

A group calling itself LulzSecurity went a step further than simply claiming to have stolen user account data from Sony's website by posting around 50,000 records on its website. Executive vice president of global communications for Sony Pictures Entertainment, Jim Kennedy, said that Sony is "looking into these claims."

However, although it's impossible to say for sure whether the attackers gained as many accounts as they claim, at least the released records appear to be genuine. The Associated Press took the liberty of phoning a few of the numbers released by 'LulzSec' and verified that their personal data as listed was accurate.

LulzSec also claims to have accessed passwords for Sony BMG employees in Belgium, and says it has acquired over 20,000 coupons for Sony music. That information is less easy to verify, but given the accuracy of the stolen user data, and the apparent propensity for Sony not to safeguard it data with particularly well, it would almost be more surprising if LulzSec hadn't acquired the data it says it has.

Having already lost a predicted £100m as a result of the PSN breach, Sony is already taking steps to ensure an epidemic of breaches like this doesn't occur again. The message for now, though, seems to be that if you've ever handed Sony any personal data you should expect it to be made public by a hacker at some point.

HEXUS Forums :: 24 Comments

Login with Forum Account

Don't have an account? Register today!
Posted by Saracen - Fri 03 Jun 2011 11:46
The message for now, though, seems to be that if you've ever handed Sony any personal data you should expect it to be made public by a hacker at some point.
And, by direct extrapolation, you should be concerned about that threat when you hand personal data to ANY organisation. Just because some others haven't hit the headlines yet, does that mean they have better security? Or that they haven't yet been targeted? Or that they have been targeted and had stuff compromised but don't know it? Or that they know it but, when perhaps told “pay up or we go public” they paid up (and I've no idea if that happened with Sony and they refused).

Put it this way. A hacker can't gain data about you from an organisation if that organisation doesn't have it. So, my advice is to think carefully, when personal info is requested, as to whether it's in YOUR interest to give it, or to give all of it.

Sometimes, releasing personal information is in your interests, and sometimes, it's unavoidable if you want a given service, in which case, I think about how much I want that service. For instance, I was after double glazing a while back. I redid the whole house. One company quoted about £14,000. A similar company did not want to attend unless I gave them a phone number, and I am not giving a double glazing company my home phone number (or my mobile, for that matter). And they would not attend to give a quote unless I did. Result …. they lost the business. Well, they're entitled to require the phone number, but it was for their convenience (avoiding wasted trips) not mine. So I gave them a choice …. come and quote without it, or don't come. They chose not to come. I'm sure the company I used in the end are quite happy that a couple of major, brand-name competitors operate that policy. ;)

Anyway, back on topic. The only way we can be sure that out personal data is not compromised is to not give it out. That suggests being very selective about who we give it to, and what information we give and for what reason, if we want to minimise our personal exposure, because this problem for Sony is likely to be the tip of the iceberg, not the whole iceberg.
Posted by Brewster0101 - Fri 03 Jun 2011 12:38
Is true that everyone wants as much details as possible when they do not need such information. Like registering on forums and like, they don't need your address details or phone number. Why does Sony have this information. All they need is a user name, password and email address.

I hope Sony get a good whoop ass kicking by some lawyers over this.

Sony stinks of arrogance and I am happy if they get thrown to the wall on this. :clapping:
Posted by aidanjt - Fri 03 Jun 2011 19:56
You'd think they would have learnt from the PSN break-in, and immediately convert all the passwords they have stored into hashes. There's no legitimate reason to store passwords in plaintext, ever.
Posted by badass - Sat 04 Jun 2011 09:53
aidanjt
You'd think they would have learnt from the PSN break-in, and immediately convert all the passwords they have stored into hashes. There's no legitimate reason to store passwords in plaintext, ever.

Not just hashes. They should be salted as well.
Posted by Whiternoise - Sat 04 Jun 2011 14:06
aidanjt
You'd think they would have learnt from the PSN break-in, and immediately convert all the passwords they have stored into hashes. There's no legitimate reason to store passwords in plaintext, ever.

Worth mentioning that a really easy way to check this is to ask for a password reminder on your favourite websites. If you get your password back in plaintext, then you should consider what you have stored on that site and what else you use that password for.

It's not implicit that if they send a “reset your password” email, rather than just telling it to, you that your data is encrypted, so be aware of that too.

Of course you can always fill in the forms with dummy data - there's nothing stopping you.

SEE NEWER »