The hacker group LulzSec made good on its recent promise to embarrass Sony by compromising the personal information of 1 million users of SonyPictures.com. The latest Sony hack is another black eye for a company that only recently recovered from the hack against Sony Computer Entertainment's PlayStation Network and Qriocity music service in April.
Due to a lack of resources, LulzSec was only able to expose a small sample of the unsecured data contained on Sony servers. But it's unclear whether other criminal elements have capitalized on LulzSec's discovery.
[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. ]
Here's a breakdown of LulzSec's latest hack, which the group is calling Sownage (Sony + Ownage).
How much user data was exposed?
LulzSec says its hack exposed user data for 1 million users; however, the hacker group did not have the computer resources to download all of the exposed material. Based on a summary of the exposed user data on LulzSec's website, the group included the personal information for more than 51,000 users related to SonyPictures.com and another 600 users from Sony BMG Netherlands.
What kind of data was stolen?
LulzSec says it was able to expose passwords, email addresses, home addresses, birthdates, and all Sony opt-in data associated with users' accounts. In some cases, the exposed personal information included home telephone numbers. The Associated Press on Thursday contacted several users by telephone based on information included in LulzSec's sample. The AP confirmed that at least some of the exposed information was genuine.
Beyond user information, LulzSec also exposed 75,000 music redemption codes, 3.5 million digital music coupons and the database layouts for SonyPictures.com, Sony BMG Belgium and Sony BMG Netherlands.
Where is this data now?
LulzSec posted the samples of exposed user data on its own site, Mediafire.com and as a torrent. At the time of this writing LulzSec's site was down, but Google caches are available, and MediaFire has removed LulzSec's uploads. The torrent is widely available.
What should I do if I was hacked?
My colleague Nick Mediati has posted a simple five-step plan to help secure your data as best you can after a breach. If you are a Gmail user, you should also consider using Gmail's new two-factor authentication for extra protection.
How was this hack done?
An SQL injection is when a hacker types code requesting data into a Web form instead of the data the site expects, such as a user name or password. If proper precautions are not taken, the code is able to execute and allow hackers to download the database information they requested.