Sony hacked yet again, plaintext passwords, e-mails, DOB posted

I've lost count of how many times Sony's online properties have been hacked now—I just don't have that many fingers—but it's happened again. Databases used to operate sonypictures.com, sonybmg.nl, and sonybmg.be have been compromised by a group calling itself Lulz Security, or LulzSec for short. This is the same group that earlier in the week hacked PBS's servers in retaliation for a documentary felt to be critical of Wikileaks; they also hacked sonymusic.co.jp last week.

Just as was the case with the sonymusic.gr hack and LulzSec's sonymusic.co.jp hack, the latest hack was performed using SQL injection: a rudimentary technique that depends on improper handling of Web site URLs. Being susceptible to SQL injection is embarrassing enough—techniques to prevent it are well-known, and easy to apply to any database-driven Web site—but what makes this hack even worse is the data that has been compromised.

The hackers retrieved account information from the database. They claim there are more than a million accounts in total; their BitTorrented dump just contained a sample. The database contained information about a variety of different account types, apparently related to different promotions and features operated by the company. Different sets of accounts, but with one major feature in common: they included plaintext passwords. Anyone who can read the database can read the passwords. And given that password reuse is rampant—many, many people use the same passwords for Web sites as they do their e-mail or online banking—many of those who have had their Sony accounts compromised now risk having their e-mail accounts attacked.

Some accounts also included names, phone numbers and full postal addresses.

http://arstechnica.com/tech-policy/news/2011/06/sony-hacked-yet-again-plaintext-passwords-posted.ars