Sony Pictures says LulzSec hacked 37,500 user accounts, not 1 million
Sony Pictures Entertainment is denying that LulzSec, a group of hackers that has been targeting the Japanese company, hacked into 1 million user accounts on Sony Pictures servers.
LulzSec broke into the accounts of about 37,500 people "who may have had some personally identifiable information stolen during the recent attack on sonypictures.com," Sony Pictures said in a statement.
"The stolen information did not include any credit card information, Social Security numbers or driver license numbers from these people," as LulzSec, also known as Lulz Security, had claimed, the statement said.
On June 2, the group bragged about hacking into Sony Pictures' website, saying in a statement on its own website: "we recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 'music codes' and 3.5 million 'music coupons.' "
LulzSec said it could have take more data from Sony Pictures but didn't because of a lack of resources.
"The Lulz Boat needs additional funding," the group said, making reference to one of its self-given nicknames. "We were unable to fully copy all of this information, however we have samples for you in our files to prove its authenticity. In theory we could have taken every last bit of information, but it would have taken several more weeks."
June 2 was also the date Sony says it learned of the LulzSec attack on its film studio's website.
"Upon learning of this cyberattack, our team retained outside experts to conduct an investigation and forensic analysis," Sony said. "In addition, we promptly took offline all potentially affected databases containing personally identifiable information and contacted the U.S. Federal Bureau of Investigation. We are working with the FBI to assist in the identification of those responsible for this crime."
The FBI has declined to comment on LulzSec or any investigations into the multiple hacking attack on Sony in recent months.
"Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now," LulzSec said. "From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?
"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it."
-- Nathan Olivarez-Giles
Image: A screenshot of LulzSec's statement on its hacking of Sony Pictures' website. Credit: LulzSec