Sony Hackers Brag It Was Easy to Compromise Info From 1 Million Consumers
"LulzSec" group claims it stole info on 1 million consumers.
June 4, 2011 — -- Whoever the hackers at LulzSec are, they talk big. They claim to have gotten into the files of Sony Pictures Entertainment and stolen information on more than 1 million consumers. They claim they defaced the website of the PBS NewsHour as a protest against a "Frontline" documentary on WikiLeaks. And they say they're not done yet.
"We accessed EVERYTHING," said the group on a website it advertised on Twitter. It claimed it compromised "passwords, email addresses, home addresses, dates of birth and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 'music codes' and 3.5 million 'music coupons.'"
"Why do you put such faith in a company that allows itself to become open to these simple attacks?" said the message on the site. The website was registered only on Wednesday with an address in the Bahamas, according to an ABC News search of Internet registries. Security consultants said LulzSec's claims seemed genuine, and phone numbers posted on the site turned out to be authentic.
Sony issued a statement on Friday evening: "We have confirmed that a breach has occurred and have taken action to protect against further intrusion," it said. "We also retained a respected team of experts to conduct the forensic analysis of the attack, which is ongoing."
On one level, the attack had the look of a teenage prank; the putative hackers' "pretentious press statement" included the slogan: "LulzSec: Laughing at your security since 2011!" Security consultants said the attack probably wasn't really aimed at those million Sony customers.
"If they're stealing passwords to do something bad, they're not going to announce it," said Kevin Haley, director of security response at Symantec, the computer-security firm. "But it's definitely a good idea to change your passwords."
For Sony, though -- and other companies hit by so-called "hactivists" -- the consequences could be much more serious. "Sony desperately needs to get their security act together," said Rob Enderle, an information-technology consultant, in an email to ABC News. "This could (with connected litigation and government response) effectively put them out of business."
The company is still trying to recover from an attack in April on its PlayStation video game network -- which had 77 million online accounts worldwide. Sony was forced to shut the network down and rebuild it, a process that took weeks. Customers' user names, passwords and email addresses were apparently inadequately protected, though the company said there was not an increase in fraudulent use of their credit card numbers used to pay for the online service.
The damage to the company was tremendous. Not only did it have to spend some $170 million on technical fixes and insurance against identity theft, it was sharply questioned by members of Congress about how slow it had been to reveal the magnitude of the breach. It also lost credibility with customers, and has started an expensive "Welcome Back" campaign to win back their loyalty. It is letting them download games for free and use premium services.
Google, Lockheed Martin and Others Hacked
It has been a rough couple of months for people worried about online security. On Wednesday, Google said its Gmail email service had been breached in an attack from China. The hackers, said Google, made a "phishing" attack -- in which users are tricked into revealing their passwords or into clicking on a link that can infect their computer with a virus -- and the victims appeared to have been chosen carefully. The company said on its blog that they included "senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists."