Group claims fresh hack of 1 million Sony accounts

@CNNMoneyTech June 2, 2011: 6:50 PM ET
Lulz Security advertised its Sony hack in an ASCII-festooned press release.

Lulz Security advertised its Sony hack in an ASCII art festooned press release.

NEW YORK (CNNMoney) -- Sony just can't catch a break from hackers. A group calling itself "Lulz Security" announced a fresh attack on Thursday, posting online snippets of data it says came from a breach earlier this week of more than 1 million user accounts on Sony's website.

Lulz began posting messages to Twitter on Thursday about its "Sownage" campaign, and around 4:30 p.m. ET it posted links to download what it claimed was a giant cache of Sony user data.

The documents posted include names, passwords, e-mail addresses, home addresses and dates of birth for thousands of people. Lulz said it grabbed the material by exploiting a vulnerability on a Sony page advertising the company's Ghostbusters franchise.

Lulz posted the website's address in its data dump, and encouraged fellow hackers to "tear the living shit out of it while you can; take from them everything!"

A Sony (SNE) spokeswoman wasn't able to confirm or deny the hack, but Sony quickly took down the webpage identified in Lulz's documents.

If the claim is valid, it would be a devastating blow to Sony, which is trying to recover from major hacks in April and May. Those attacks forced the company to pull its PlayStation, Qriocity and Sony online gaming networks offline.

Massive hack blows crater in Sony brand

CNNMoney contacted several of the people whose e-mail addresses were listed in the Lulz documents. One replied that her account, which she created to enter a contest, had been hacked. But she wasn't concerned.

"This is information that, except for the password, can be found by anyone looking on the Internet," Laura Lemons said in an e-mail. "This seems minor to me unless they hacked my credit card numbers or my banking information."

On an Internet Relay Chat channel Lulz set up to discuss the hack, several participants reported that they were able to break into Gmail and Facebook accounts because Sony customers used the same password there that they did on Sony's website.

A statement posted on Lulz's site, titled "pretentious press statement," said "SonyPictures.com was owned by a very simple SQL injection." That type of attack exploits a Web application vulnerability.

Lulz's statement said Sony was "asking for it" by storing more than 1 million user passwords in plain text, instead of encrypting them.

"It's just a matter of taking it. This is disgraceful and insecure," Lulz said.

Lulz also said it had compromised "all admin details of Sony Pictures," including passwords, as well as 75,000 music codes and 3.5 million music coupons.

The previously unknown hacker group burst onto the scene this weekend with an attack on the website of PBS, which apparently drew their ire with a documentary on WikiLeaks. Lulz posted a fake story on PBS.org announcing that rapper Tupac Shakur -- who has been dead for almost 15 years -- is alive and living in New Zealand.

Sony is becoming a whipping boy for hackers. The culprits behind the first round of Sony hacks have not yet been identified, but Sony said in a letter to Congress that it believes website-attacking group "Anonymous" was responsible.

Anonymous is a decentralized group that originated on image-board site 4chan.org. It organizes swarms to try to crash the websites of those it deems enemies.

Sony's letter to Congress pointed out that the company recently landed in Anonymous' crosshairs for suing two people who were distributing instructions on how to hack a PlayStation 3 game system -- and then going after identifying details on anyone who ever viewed the instructions.

A purported Anonymous news site, AnonNews.org, posted a statement on April 22 titled "For Once We Didn't Do It." But the poster did acknowledge that since Anonymous is a decentralized group, "it could be the case that other Anons have acted by themselves" -- though the group "does not take responsibility as a whole for whatever has happened."  To top of page

  • -->

    Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.