Technology

The business and culture of our digital lives,
from the L.A. Times

Sony Pictures says LulzSec hacked 37,500 user accounts, not 1 million

LulzBoatStatement

Sony Pictures Entertainment is denying that LulzSec, a group of hackers that has been targeting the Japanese company, hacked into 1 million user accounts on Sony Pictures servers.

LulzSec broke into the accounts of about 37,500 people "who may have had some personally identifiable information stolen during the recent attack on sonypictures.com," Sony Pictures said in a statement.

"The stolen information did not include any credit card information, Social Security numbers or driver license numbers from these people," as LulzSec, also known as Lulz Security, had claimed, the statement said.

On June 2, the group bragged about hacking into Sony Pictures' website, saying in a statement on its own website: "we recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 'music codes' and 3.5 million 'music coupons.' "

LulzSec said it could have take more data from Sony Pictures but didn't because of a lack of resources.

"The Lulz Boat needs additional funding," the group said, making reference to one of its self-given nicknames. "We were unable to fully copy all of this information, however we have samples for you in our files to prove its authenticity. In theory we could have taken every last bit of information, but it would have taken several more weeks."

June 2 was also the date Sony says it learned of the LulzSec attack on its film studio's website.

"Upon learning of this cyberattack, our team retained outside experts to conduct an investigation and forensic analysis," Sony said. "In addition, we promptly took offline all potentially affected databases containing personally identifiable information and contacted the U.S. Federal Bureau of Investigation. We are working with the FBI to assist in the identification of those responsible for this crime."

The FBI has declined to comment on LulzSec or any investigations into the multiple hacking attack on Sony in recent months.

Over the last few weeks, LulzSec has mocked the FBI and Sony for both online security weaknesses and also for being unable to stop its web attacks.

"Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now," LulzSec said. "From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?

"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it."

RELATED:

Sony suspends music website for Brazil after possible hacker breach

LulzSec claims it hit Nintendo in warm-up to FBI-related hacking

Sony Pictures confirms LulzSec hacker attack on Sony Pictures

-- Nathan Olivarez-Giles

twitter.com/nateog

Image: A screenshot of LulzSec's statement on its hacking of Sony Pictures' website. Credit: LulzSec

 
Comments  ()

Connect

Recommended on Facebook


Advertisement

In Case You Missed It...

Videos

How to Reach Us

To pass on technology-related story tips, ideas and press releases, contact our reporters listed below.

To reach us by phone, call (213) 237-7163

Email: business@latimes.com

Andrea Chang
Armand Emamdjomeh
Jessica Guynn
Jon Healey
W.J. Hennigan
Tiffany Hsu
Deborah Netburn
Nathan Olivarez-Giles
Alex Pham
David Sarno


Categories


Archives