Just days after threatening to undertake an operation that it called "the beginning of the end for Sony," a hacker group claims to have compromised the personal information of over 1 million users of SonyPictures.com.
The group, which calls itself LulzSec, is the same one that took over PBS Websites over the Memorial Day weekend, posting false news stories that rapper Tupac Shakur was still alive and living in New Zealand.
"We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts," the group said in a statement issued Thursday. "Among other things, we also compromised all admin details of Sony Pictures, including passwords, along with 75,000 'music codes' and 3.5 million 'music coupons'."
Jim Kennedy, EVP of Global Communications for Sony Pictures Entertainment , said the company was looking into the claims.
LulzSec posted several files containing what appears to be user information — including names, home addresses and email addresses of people who had entered a sweepstakes, along with the usernames and passwords of employees — on its Website as well as several BitTorent file sharing sites around the Web. The hackers say that a lack of resources prevented them from copying all of the information they found, but they provided details of how they compromised the system and encouraged other hackers to gather information as well.
"Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now," the group said. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"
As it bragged about the attack on Twitter, the group also began requesting contributions from supporters in the form of BitCoin virtual currency, noting that the money would be used to fund additional hacking.
BitCoin is a digital currency that avoids a central issuer, making it impossible to trace who has donated money to whom. Many users use it to purchase illegal narcotics online.
The latest attack comes as Sony is just beginning to recover from an unprecedented attack on its PlayStation Network. Personal information was stolen from over 100 million user accounts in that attack. On Thursday, in fact, the company finally restored full service to the Network — the first time it has been fully operational since April 20.
Since those PSN hacks, Sony has been the regular target of hackers. Late last month, intruders breached its sites in Canada, Thailand and Indonesia.
Sony had been criticized during the aftermath of that attack for not adequately shielding personal information by putting it in an encrypted file. Statements from LulzSec indicate that the SonyPictures site had a similar flaw.
"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it," it said. "This is disgraceful and insecure: they were asking for it."
Experts say the recent hacker attacks are akin to aftershocks following a massive earthquake. Given how prominently Sony was breached, other members of the hacking community are eager to test for other weak spots.
"When you're a large enterprise, there are going to be people who are determined to attack you," says Hemu Nigam, founder of SSP Blue, an Internet security consultant business and former VP of internet enforcement at the MPAA. "When vulnerability is identified, there's a lot of copycat hackers looking to come after you. … This is going to be an ongoing battle as long as we have good and evil in society."