Hackers Spill over 1,000,000 Sony Pictures Online Accounts

Illustration for article titled Hackers Spill over 1,000,000 Sony Pictures Online Accounts

Sony getting its ass handed to it by hackers is becoming about as newsworthy as a netbook release, but this one is particularly brutal: Lulz Security just released a file containing over a million user logins. Home addresses included.


The Lulz crew says their gigantic dump includes:

Personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 "music codes" and 3.5 million "music coupons".

Not stuff you want floating around on MediaFire (and not something we're going to link to, out of respect for the privacy of that million plus).

So, why'd they do it this time? FOR THE LULZ? No. To teach a lesson, they say:

Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?


As much as this is a shit move on their part, they have a good point. All of this extremely sensitive user data was stored in plain text, with zero encryption whatsoever. Sony is clearly beyond the palest pale of ineptitude when it comes to keeping their house in order. Their server rooms have had a screen door on them for the past month. Get it the hell together.



This is shitty and stupid.

But. We have Sarbanes-Oxley, which exists solely as an excuse to enrich accounting firms and lawyers, right? Still, it does tell CFOs that they need to take certain steps toward proper financial governance, or they stand to fail and audit, and good luck explaining that to the board.

So, why don't we have a similar law that says companies have a responsibility to adhere to certain basic practices to protect customer and client data? And make it part of their S-OX audit? Doesn't have to be exhaustive, or create a new generation of pocket protector geeks, but it should tell Sony or anyone else that if they store sensitive customer data in plain text (for example), they will be severely fined. If they lie, and someone breaches their databases anyway and find the data in plain text, well, that's a bigger fine, and if it's bad enough maybe jail time for the C-levels.