Sony has suffered another attack from hackers resulting in the loss of more than 1m customer account details, the latest in a string of security breaches that have undermined confidence in the Japanese electronics and media group.
On Thursday, a group calling itself LulzSec said it had accessed the servers hosting Sony Pictures Entertainment and obtained the names, e-mail addresses, birth dates and passwords of more than 1m Sony users.
Sony did not return calls requesting comment. But LulzSec posted samples of the obtained data online, and security experts were taking the group’s claims seriously.
The group said SonyPictures.com was hacked through a simple process that took advantage of “one of the most primitive and common vulnerabilities”.
LulzSec said it used a technique called SQL injection, to penetrate the database. It said the passwords, including administrator account passwords, were not encrypted.
“We accessed everything,” the group said on a website where it announced the hack. “Why do you put such faith in a company that allows itself to become open to these simple attacks?”
The new attack comes as Sony has been finalising the restoration of its PlayStation Network and online entertainment services, which were taken down in April after it was revealed that the details of more than 100m users had been compromised by a different group of hackers who have yet to be identified.
The amorphous cyberactivist group Anonymous has disclaimed responsibility for the original PlayStation hack, one of the largest in history but insiders have said it could have been the work of former Anonymous members.
LulzSec has been identified by security researchers as a talented spin-off from Anonymous. The group came to notoriety at the weekend when it hacked into the website of PBS, the US public broadcaster, and posted a fake news story claiming deceased rapper Tupac Shakur was alive and living in New Zealand.
In an interview with reporters last month, Sir Howard Stringer, Sony chief executive, said the company was conducting a wholesale review of online vulnerabilities. A Sony executive who asked not to be named recently said he had become terrified about hackers after being briefed by the company’s security team.
LulzSec pointed out additional vulnerabilities in Sony’s online system in its post on the hack. “What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plain text, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.”