The hacker group LulzSec made good on its recent promise to embarrass Sony by compromising the personal information of 1 million users of SonyPictures.com. The latest Sony hack is another black eye for a company that only recently recovered from the hack against Sony Computer Entertainment's PlayStation Network and Qriocity music service in April.
Due to a lack of resources, LulzSec was only able to expose a small sample of the unsecured data contained on Sony servers. But it's unclear whether other criminal elements have capitalized on LulzSec's discovery.
Here's a breakdown of LulzSec's latest hack, which the group is calling Sownage (Sony + Ownage).
How much user data was exposed?
LulzSec says its hack exposed user data for 1 million users; however, the hacker group did not have the computer resources to download all of the exposed material. Based on a summary of the exposed user data on LulzSec's website, the group included the personal information for more than 51,000 users related to SonyPictures.com and another 600 users from Sony BMG Netherlands.
What kind of data was stolen?
LulzSec says it was able to expose passwords, e-mail addresses, home addresses, birthdates, and all Sony opt-in data associated with users' accounts. In some cases, the exposed personal information included home telephone numbers. The Associated Press on Thursday contacted several users by telephone based on information included in LulzSec's sample. The AP confirmed that at least some of the exposed information was genuine.
Beyond user information, LulzSec also exposed 75,000 music redemption codes, 3.5 million digital music coupons and the database layouts for SonyPictures.com, Sony BMG Belgium and Sony BMG Netherlands.
Where is this data now?
LulzSec posted the samples of exposed user data on its own site, Mediafire.com and as a torrent. At the time of this writing LulzSec's site was down, but Google caches are available, and MediaFire has removed LulzSec's uploads. The torrent is widely available.
What should I do if I was hacked?
My colleague Nick Mediati has posted a simple five-step plan to help secure your data as best you can after a breach. If you are a Gmail user, you should also consider using Gmail's new two-factor authentication for extra protection.
How was this hack done?
An SQL injection is when a hacker types code requesting data into a Web form instead of the data the site expects, such as a user name or password. If proper precautions are not taken, the code is able to execute and allow hackers to download the database information they requested.
Was the exposed data encrypted?
No. LulzSec said all of the data it downloaded was unencrypted. User IDs and passwords were sitting in the database as plain text (".txt") files.
Who is LulzSec?
LulzSec (Lulz Security) is a hacker group (or possibly just one person) responsible for a number of recent intrusions into corporate servers. The group broke into a Sony site based in Japan, Fox.com and the recent PBS hack that included posting a fake news item to PBS.org proclaiming rapper Tupac Shakur was still alive.
As its name suggests, LulzSec claims to be interested in mocking and embarrassing companies by exposing security flaws rather than stealing data for criminal purposes. But that doesn't mean others won't capitalize on security flaws exposed by the online pranksters.
Is 2011 the Year of the Malicious Hacker?
It sure looks that way with the recent Gmail hack that Google blames on China, the LulzSec break-ins, and a rash of other intrusions such as the RSA SecurID breach and the Sony PSN hack. But keep in mind that many of these intrusions are the result of companies and users failing to follow basic security measures.
The Gmail hack appears to be the result of luring people to a phishing site. EMC, the company behind RSA Security said it was the victim of an "extremely sophisticated cyber attack." But I don't see what's so "extremely sophisticated" about a hacker tricking someone into downloading a malicious Excel document via email. Malicious email downloads are one of the oldest malware tricks in existence.
With hackers becoming more emboldened to attack corporate sites, corporations need to do a better job of safeguarding user data. A good start would be to watch out for basic SQL injection techniques, encrypt databases filled with personal information, and provide an HTTPS connection for their users whenever possible. These three basic things would go a long way to thwarting the shenanigans of groups like LulzSec. You can never be 100 percent immune from intrusions, but that's no excuse for failing to follow even the most basic security precautions.