Sunday, June 5, 2011

Hackers pilfer Sony data again

LONDON -- Another massive data breach at Sony has left hackers exulting, customers steaming and security experts questioning why basic fixes haven't been made to the company's stricken cybersecurity program.

Hackers say they managed to steal a massive trove of personal information from Sony Pictures' Web site using a basic technique that they claim shows how poorly the company guards its users' secrets. Security experts agreed Friday, saying that the company's security was bypassed by a well-known attack method by which rogue commands are used to extract sensitive data from poorly constructed Web sites.

"Any Web site worth its salt these days should be built to withstand such attacks," said Graham Cluley of Web security firm Sophos. Coming on the heels of a massive security breach that compromised more than 100 million user accounts associated with Sony's PlayStation and online entertainment networks, Cluley said the latest attack suggested that hackers were lining up to give the company a kicking.

"They are becoming the whipping boy of the computer underground," he said.

Culver City, Calif.-based Sony Pictures has so far declined to comment beyond saying that it is looking into the reported attack -- which saw many users' names, home addresses, phone numbers, e-mails and passwords posted on the Web.

It wasn't clear how many people were affected. The hackers, who call themselves Lulz Security -- a reference to Internetspeak for "laugh out loud"-- boasted of compromising more than 1 million users' personal information -- although it said that a lack of resources meant it could only leak a selection on the Web. Their claim could not be independently verified, but several people whose details were posted online confirmed their identities to the Associated Press.

Lulz Security ridiculed Sony for the ease with which it stole the data, saying that the company stored people's passwords in a simple text file.