Sony clearly can not seem to catch a break. Today two hacking groups are claiming to have accessed the companies networks specifically, a database at Sony Ericsson’s Eshop (for mobile phones in Canada) and a separate database at Sony BMG Japan.
The attack on the Sony Ericsson’s Eshop has allegedly been performed by a Lebanese hacker group named Idahca. Idahca told “the Hacker News” site that they extracted the entire Eshop database, taking with them the names, usernames, and passwords of thousands of users. The group is also claiming to have leaked some of the contents of the database on their Facebook and Twitter accounts.
The other attack on Sony BMG Japan was performed by a separate group, Lulz Sec. Lulz Sec extracted one of the Sony BMG Japan databases and posted the information at Pastebin.com, leaving out the usernames, passwords, and other personal information from the post.
Lulz Sec apparently used an SQL injection flaw in Sony’s website to gain access to the database. The group is claiming at least two other pages on the Sony Music’s Japanese website have the same flaw. Chester Wisniewski , a senior adviser at security firm Sophos indicates this issue could be more complex than just stolen databases. Wisniewski discussed on his blog that it is unknown whether or not this flaw could be used to inject information back into the Sony databases, thus compromising anyone who accessed those pages.
What’s worse about this entire situation is that the SQL injection vulnerability exists on other Sony sites. If this is true, it’s likely that other hacker groups are attempting to access those databases. Based on a post made by Lulz Sec on Hacker News, it seems the recent hacking attempts are aimed at embarrassing Sony.
“This isn’t a 1337 h4x0r (elite hacker in Leetspeak),” Lulz Sec noted in a message posted on Hacker News. “We just want to embarrass Sony some more. Can this be hack number 8? 7 and a half,”
If the aim is embarrassment then it would make sense for other groups to attempt to access as many Sony databases as possible to further draw out the issues surrounding Sony since the PSN breach in late April.
It seems that Sony’s security issues are systematic across all of their services and websites. It is obvious that there is a major failure in Sony’s corporate culture in regards to their disregard for information security. Their aim right now should be to find and repair all of their vulnerabilities as quickly as possible.
It’s becoming very clear that Sony has a giant target on their back. The global hacking community is taking advantage of any and every opportunity to extend downtime of Sony services and to spread news coverage of their security issues. All of this really begs the question: how safe is any of our information in Sony’s hands? The fallout of all these security issues in terms of online purchases through any of Sony’s services will be interesting to track, once all of their services are back online.