Hackers steal more customer info from Sony servers

The same group that hacked PBS's Web site over the weekend says it has compromised the personal information and passwords of "over 1 million" Sony customers.

Erica Ogg Former Staff writer, CNET News
Erica Ogg is a CNET News reporter who covers Apple, HP, Dell, and other PC makers, as well as the consumer electronics industry. She's also one of the hosts of CNET News' Daily Podcast. In her non-work life, she's a history geek, a loyal Dodgers fan, and a mac-and-cheese connoisseur.
Erica Ogg
4 min read

A group of hackers said today that they have broken into several Sony Web sites and compromised the personal data of more Sony customers.

The group, which calls itself "Lulzsec," is the same group that posted fake news stories on PBS.com over the weekend.

They have been promising Sony attacks since this past weekend, a plan they called "the beginning of the end" for Sony. After being challenged to show what they found, the group today posted links on Twitter to samples of information they compromised on internal Sony networks and Web sites, including Sony Pictures, Sony Music Belgium, and Sony Music Netherlands.

On the site Pastebin, Lulzsec wrote: "We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 'music codes' and 3.5 million 'music coupons'."

The group said they didn't have the resources to copy all the information found, but is posting "samples" to prove their authenticity. The group claims they could have taken more, but that would have taken "several more weeks."

The files in the download appear to contain names, addresses, e-mail addresses, and passwords, but it was unclear how many were in the sample provided by the group.

One file labeled Sony BMG Music Entertainment Belgium included this note: "This target gave us LOLs as it provided internal release dates of records, barcodes, sales reports, and plaintext Sony employee passwords."

Sony did not immediately respond to a request for comment.

Getting the information was not that complex, Lulzsec claims. The group said it gained access to SonyPictures.com with a single SQL injection.

"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it," reads the post. "This is disgraceful and insecure: they were asking for it."

The group said on Twitter that it will accept contributions in the form of BitCoin virtual currency that will be used to help it do more hacking. BitCoin is a method that allows people to make and receive payments without it being traced back to them.

People who think they may be affected should change their passwords, change their security questions and keep an eye out on their accounts for any unauthorized activity, as well as be on alert for phishing e-mails that appear to be from Sony. (You can read more tips here.)

"What makes this significant is the customer information is readily available and being shared," said E.J. Hilbert, president of Online Intelligence and a former cybercrime agent for the FBI. "Physical address and phone number are just more pieces of information that could be used by criminals to hijack accounts... There are huge opportunities for identity theft and for spammers and scammers to run different offers."

Some people were reporting on Internet Relay Chat channels that they were trying some of the passwords on sites like Facebook and were able to get in because of people using the same password on multiple sites, according to Hilbert.

Sony has increasingly become the target of hackers over the last few months. In early April the activist hacker group Anonymous hacked into several Sony Web sites as supposed retribution for Sony's legal suit against George Hotz, who had been helping others jailbreak their PlayStation 3 consoles.

But that was minor compared to the security breach that took place between April 17 and 19 that allowed still unnamed hackers to make off with the personal data of more than 100 million customers of Sony's PlayStation Network, Qriocity entertainment service, and online gaming network Sony Online.

Sony was forced to shut down PSN for more than three weeks while it hired security experts, worked with the FBI on a forensic investigation, and rebuilt the security of its gaming and entertainment network. Parts of the service returned in mid-May. The final piece of PSN, the PlayStation Store, was reactivated late last night.

The attacks on Sony would seem to indicate lax practices on Sony's part, said Beth Givens, director of the Privacy Rights Clearinghouse. "These repeated Sony attacks are an object lesson for all companies," she said. "Sony has reported that it uses industry standards for security. If that's true, then perhaps it is time to re-evaluate and even go beyond such standards."

CNET's Elinor Mills contributed to this report.

This post was updated at 3:20 p.m. PT with comment from Hilbert and Givens, and at 1:59 p.m. PT with background, more details.