[Jump to update on 6/4/2011, sensitive accounts compromised] Today, Lulz Security (LulzSec) successfully hacked Sony Pictures’ databases using a simple SQL injection by exploiting a basic security gap. Last month LulzSec hacked Sony Music Japan using a SQL injection, soon after another group used the same method to attack Sony BMG Greece! The big deal with today’s hacking of Sony Pictures’ database is that at least 1 million of the 4.5 million records that were discovered in the database hacks contain sensitive user information – we’re talking passwords, e-mail addresses, street addresses and usernames. All this information is currently available to the world right now, and as long as the site stays up it’s on the LulzSec website. Too bad for you if your credentials are in those 4.5 million records – but don’t sit on your hands and wait around for something worse to happen (change your passwords because no one else will help you!).
Sony (and other corporations’) Blatant Negligence.
Sony and any other large corporation that has lax database security deserve to be outed, if for anything else then for making their clients agree to unwieldy, indemnification-assuring, multi-page “Terms and Conditions” documents while blatantly disregarding the protection of their clients’ data. This is really about trust – you give a company information because they agree to serve you in some way and nowhere along the way does the average internet user expect to incur personal risk. If a mega corporation like Sony isn’t following even the most basic security “best practices” (they’ve been hit by major and costly attacks at least five times in the past month) then what are the smaller corporations doing to reduce risk?
Why aren’t service providers blocking exposed accounts?!
Looking through the .txt files that LulzSec released one can find username and password combinations used to access Sony Pictures’ accounts; however, most people use the same username/email/password combination for other accounts i.e. Email, Banking, Shopping, etc. What are those service providers doing for their clients/users who have had their credentials exposed to the world? It seems that a few of them have taken steps to block compromised accounts – especially the major e-mail companies like Gmail and Yahoo. But, even in the e-mail category, which is the practical first option for anyone trying to exploit the newly released credentials, there are service providers that haven’t done a thing to protect their users – a major website that hasn’t taken proactive action is Comcast.net. Just think about the damage someone can do to your life by reading through your e-mails…maybe now people will think twice about sharing sensitive information through e-mail in the future.
Beyond the e-mail providers, now is primetime for other website services to protect their clients accounts if their credentials were compromised in the recent Sony Pictures hack. This means that all website owners need to download the files published by the LulzSec (the hackers) and query their databases to put a block on matching e-mail addresses.
What’s Next? It ain’t good news for everyone, but it can be for you.
It will only take a few more of these major database hacks/revelations for a huge impact to be felt on the people that own compromised accounts – and the bulk of this pain will be on American consumers. The reason that things get nastier is that it only takes one instance of unapproved e-mail account entry to expose several more credentials – in many cases these credentials may not even belong to the “hacked” party. What if the hacked party is a web developer that has been storing client credentials in their own e-mail account or even worse, if they’re a web hosting provider that has just facilitated the tampering of hundreds of their hosting client accounts?
Just remember, when you’re using the internet you are at risk of having your credentials (and other personal information) exposed without your knowledge. Don’t assume that high profile, multi-billion dollar websites like Facebook and Gmail are 100% safe and consider that the internet isn’t the safest place for your most sensitive data. Use a different password for each website you visit frequently – ensuring that you’re life isn’t compromised by having one password exposed. Additionally, think about the level of detail you’re sharing online and realize that your information can be made intercepted by non-intended parties – even if the intended recipient initially receives the information, don’t forget that the information is being stored on someone else’s servers.
UPDATE 6/4/2011 – Sensitive accounts that have been compromised
Here is a brief summary of the impact of only this most recent Sony Pictures hack, and this is only based on the database dumps that have been published by the hackers:
- 51 records for US .gov e-mail addresses and passwords
- 458 records for US .edu e-mail addresses and passwords
- 18 US .mil e-mail addresses and passwords
- Many web services still have not blocked access to their compromised users’ accounts, including: Hotmail.com, Comcast.net, Iwon.com
When does it become a responsibility, or at least a part of corporate social responsibility for web service providers to block access to compromised accounts? It’s not their duty by law, but it would be a wise and ethical move.
Interesting!!