“Every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext…”
In a statement, LulzSec say they are not attempting to come across as “master hackers”, but instead wish to highlight Sony’s lax security. They say:
Every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it.
The group says the data stolen includes users’ passwords, email addresses, home addresses and dates of birth, and has placed samples online for others to verify their claim.
LulzSec say they accessed SonyPictures.com with an SQL injection, in which attackers exploit vulnerabilities in a website and force it to run unauthorised code. The group calls this “one of the most primitive and common vulnerabilities”, and asks: “Why do you put such faith in a company that allows itself to become open to these simple attacks?”
Sony says it is aware of LulzSec’s statement and is investigating the
issue. “We are looking into these claims,” Jim Kennedy, executive vice
president of global communications for Sony Pictures Entertainment, told the Associated Press.
AP also called a number listed by LulzSec and verified that it belonged to a woman in Minnesota, who confirmed the rest of her details.
This latest attack comes as Sony recovers from a previous hacking
incident, with its PlayStation Network only just fully restored after a month-long outage.
It is also the latest in a string of security breaches carried out by LulzSec, who last weekend hacked into and defaced the website of PBS, the US public broadcasting organisation, and previously stole data from the Fox broadcasting company.
Meanwhile, infamous hacktivist group Anonymous today said it has stolen
10,000 emails from Iran’s Ministry of Foreign Affairs as part of its
latest endeavour, OpIran.
Anonymous carried out its attacks as a response to Iranian crackdowns on anti-government protests, with one member telling The Epoch Times they aimed to damage the image of Iran “both in cyber space and the real world.” The emails were taken from the Iranian Passport and Visa Office, and appear to be mostly visa applications.