Sony just can not catch a break. After repeated network breach events over the last two months that have exposed the account details of millions of Sony customers, the hacker collective known as LulzSec claims to have done it yet again.
“We are looking into these claims," Jim Kennedy, executive vice president of Global Communications for Sony Pictures Entertainment, said in a statement.
The group claims to have hacked Sony Pictures, Sony Entertainment, Sony BMG and compromised sensitive data for over one million customers, as well as gaining access to admin passwords, music "codes" and "coupons".
"We recently broke into SonyPictures.com and compromised over 1,000,000 users' personal information, including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 "music codes" and 3.5 million "music coupons"," the group's informal press release states.
Earlier this week, LulzSec gained unauthorized access to the online networks belonging to Public Broadcasting System in protest of a Frontline documentary examining the whistleblower organization WikiLeaks and accused federal document leaker Bradley Manning.
The hacktivists posted a fake article on the NewsHour website announcing that deceased rapper Tupac Shakur was alive, as well as posting the user IDs and passwords for the PBS MySQL database and other login credentials supposedly belonging to PBS affiliates and staff.
LulzSec claims the most recent Sony hack was accomplished with a relatively unsophisticated SQL injection attack, one of the most common website interface vulnerabilities:
"Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?" the press release explained.
The hackers claim that the data on the Sony servers was stored in an unencrypted format, making the task of compromising customer accounts that much more easily accomplished:
"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it."
In late April, Sony announced that the company's PlayStation network servers had been hacked, exposing the records of more than 70 million customers. During the course of the investigation, Sony discovered that the company's Online Entertainment network had also been compromised, exposing another 25 million customer records.
The breaches forced Sony to shut down both the PSN and Online Entertainment networks. Sony has since been the subject of a great deal of criticism regarding the company's delay in notifying authorities and customers of the exposure of account details.
LulzSec has denied orchestrating the April Sony breach, and also has denied any role in the attacks against the PlayStation Network.