Posted on 03 Jun 2011
In the latest cyber attack on the Japanese electronics giant, hackers have claimed to have compromised more than one million passwords, email addresses and other information from SonyPictures.com.
The claim was made by a group of hackers calling themselves "Lulz Security," who published a number of files online containing lists of thousands of stolen email addresses and passwords.
"We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts," Lulz Security said.
"Due to a lack of resources on our part we were unable to fully copy all of this information," the group said. "In theory we could have taken every last bit of information, but it would have taken several more weeks."
To "prove its authenticity," the group posted lists of thousands of stolen Gmail, Hotmail, AOL, Yahoo and other email addresses and passwords on Pastebin where they were publicly accessible.
Sony, whose online services have been targeted by a series of cyber attacks over the past few weeks, said it was investigating the latest alleged breach.
"We are looking into these claims," Sony Pictures Entertainment executive vice president Jim Kennedy said in a statement to AFP.
SonyPictures.com features movie trailers and information about films and television shows and also allows users who sign up to receive email updates.
Lulz Security, the group which claimed the attack on SonyPictures.com, said the data theft exploited one of the most "primitive and common vulnerabilities."
"Why do you put such faith in a company that allows itself to become open to these simple attacks?" Lulz Security said.
"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it," the group said. "This is disgraceful and insecure: they were asking for it."
A loose-knit "hacktivist" group known as Anonymous began staging attacks on Sony's online services in April in retribution for its legal action against hackers who cracked PlayStation 3 defenses to change console operating software.
Anonymous acknowledged carrying out distributed denial of service (DDoS) attacks but denied involvement in any data theft or the latest attack by the group calling itself Lulz Security.
In a typical DDoS attack, a large number of computers are commanded to simultaneously visit a website, overwhelming its servers, slowing service or knocking it offline completely.
Sony's PlayStation Network, its Qriocity music streaming service and Sony Online Entertainment were among the services targeted by hackers.
The company later suffered attacks on websites in Greece, Thailand and Indonesia and on the Canadian site of mobile phone company Sony Ericsson.
According to Sony, 77 million PlayStation and Qriocity accounts have been affected along with 25 million Sony Online Entertainment accounts, bringing the total to more than 100 million and making it in one of the largest data breaches ever.
Sony said Thursday that it has restored PlayStation Network services everywhere except Japan, Hong Kong and South Korea and partially resumed Qriocity.
Sony has estimated that the cyber attacks could cost it 14 billion yen ($172 million), not counting compensation claims.