Sony (www.sony.com) completed restoration of its PlayStation Network Thursday, but now hackers have stolen personal information from one million users of its entertainment distribution arm Sony Pictures (www.sonypictures.com). The group of hackers who compromised passwords and posted a fake news story to the PBS Frontline website on Sunday has taken responsibility for the Sony hack, claiming in a press release that a single SQL injection was all it took to access the data.
LulzSec says it accessed the passwords, email addresses, home addresses and dates of birth of one million users. The group says it also stole all admin details of Sony Pictures, including passwords. 75,000 music codes and 3.5 million music coupons were also accessed, according to the press release.
Sony tried to pin the earlier PlayStation Network attack on hacker group Anonymous. The group has denied this allegation, though it bombarded Sony servers with DDoS attacks in support of hacker George Hotz prior to the major outage.
LulzSec says a lack of resources meant it was unable to fully copy all of this information.
“In theory we could have taken every last bit of information, but it would have taken several more weeks,” according to the statement.
LulzSec says Sony was “asking for it” since all of the data it took wasn’t encrypted. LulzSec even invites others to use the SQLi link provided in its file contents to try it themselves.
Sony has been heavily criticized for its lax security recently, with some speculation that it was running outdated software on its PlayStation Network servers before the attack.
Recent estimates by Sony have totalled the losses from the month-long outage of its PlayStation Network upwards of $171 million.
This estimate does not include potential liabilities resulting from lawsuits. In May, a proposed class action lawsuit was filed against Sony on behalf of one million Canadian PlayStation users.
Though the effects have been embarrassing and financially devastating for Sony, a smaller company could face even more strain from a cyberattack. Recently, the WHIR talked to David Snead, a lawyer whose clients are internet infrastructure providers, about how Web hosts can prepare for cyberattacks and the proposed cybersecurity legislation in congress.