Another massive data breach at Sony has left hackers exulting, customers steaming and security experts questioning why basic fixes haven't been made to the company's stricken cybersecurity program.
Hackers say they managed to steal a massive trove of personal information from Sony Pictures' website using a basic technique which they claim shows how poorly the company guards its users' secrets. Security experts agreed Friday, saying that the company's security was bypassed by a well-known attack method by which rogue commands are used to extract sensitive data from poorly-constructed websites.
Coming on the heels of a massive security breach that compromised more than 100 million user accounts associated with Sony's PlayStation and online entertainment networks, the latest attack suggested that hackers were lining up to give the company a kicking.
Culver City, California-based Sony Pictures has so far declined to comment beyond saying that it is looking into the reported attack — which saw many users' names, home addresses, phone numbers, emails, and passwords posted on the Web.
It wasn't clear how many people were affected. The hackers, who call themselves Lulz Security — a reference to the Internet jargon for "laugh out loud"— boasted of compromising more than 1 million users' personal information — although it said that a lack of resources meant it could only leak a selection on the Web. Their claim could not be independently verified, but several people whose details were posted online confirmed their identities.
Lulz Security ridiculed Sony for the ease with which it stole the data, saying that the company stored peoples' passwords in a simple text file, something it called disgraceful and insecure.
Several emails sent to accounts associated with the hackers as well as messages posted to the microblogging site Twitter were not returned, but in one of its tweets Lulz Security expressed no remorse.
Claiming that innocent people whose data they leaked should blame Sony.
Sony's customers — many of whom had given the company their information for sweepstakes draws — appeared to agree.
A 39-year-old computer instructor in Ohio, said he was extremely upset to find email address and password posted online for the whole world to see. He has since been changing his passwords on every site that uses a login. Sony stored his passwords in plain text instead of encrypting the information. It shows little respect to their customers.He and others complained that they had yet to hear from the company about the breach, news of which is nearly a day old.
The chief technology officer for the U.S. Cyber Consequences Unit — a research group devoted to monitoring Internet threats — was emphatic when asked whether users' passwords could be left unencrypted. He commented that passwords should always be hashed. Some kind of encryption should be used. He has been critical of Sony's security in the past, and said the company needed to take a hard look at how it safeguards its data.