V is for Vindication part… SONY

June 3rd, 2011

As we have been saying for years, it is impossible to secure any database, and putting the entire population of a country on a database is completely insane. The only thing that is more insane than that is to create a database of all the children in a country, and then to make that database available to over 1,000,000 agents of the state.

We also told you that the information contained in the databases proposed by the State, if compromised, could fit into a device smaller than your hand.

Now you see that once again, we were right about everything.

Some people got into a SONY database, and using a well known exploit, managed to copy the sensitive private details of ONE MILLION PEOPLE. They then posted that information for anyone to download on The Pirate Bay.

. /$$                 /$$            /$$$$$$                     
.| $$                | $$           /$$__  $$                    
.| $$       /$$   /$$| $$ /$$$$$$$$| $$  \__/  /$$$$$$   /$$$$$$$
.| $$      | $$  | $$| $$|____ /$$/|  $$$$$$  /$$__  $$ /$$_____/
.| $$      | $$  | $$| $$   /$$$$/  \____  $$| $$$$$$$$| $$      
.| $$      | $$  | $$| $$  /$$__/   /$$  \ $$| $$_____/| $$      
.| $$$$$$$$|  $$$$$$/| $$ /$$$$$$$$|  $$$$$$/|  $$$$$$$|  $$$$$$.$
.|________/ \______/ |__/|________/ \______/  \_______/ \_______/ 
                          //Laughing at your security since 2011!

.--    .-""-.
.   ) (     )
.  (   )   (
.     /     )
.    (_    _)                     0_,-.__
.      (_  )_                     |_.-._/
.       (    )                    |lulz..\    
.        (__)                     |__--_/           
.     |''   ``\                   |
.     | [Lulz] \                  |      /b/
.     |         \  ,,,---===?A`\  |  ,==y'
.   ___,,,,,---==""\        |M] \ | ;|\ |>
.           _   _   \   ___,|H,,---==""""bno,
.    o  O  (_) (_)   \ /          _     AWAW/
.                     /         _(+)_  dMM/
.      \@_,,,,,,---=="   \      \\|//  MW/
.--''''"                         ===  d/
.                                    //   SET SAIL FOR FAIL!
.                                    ,'_________________________
.   \    \    \     \               ,/~~~~~~~~~~~~~~~~~~~~~~~~~~~
.                         _____    ,'  ~~~   .-""-.~~~~~~  .-""-.
.      .-""-.           ///==---   /`-._ ..-'      -.__..-'
.            `-.__..-' =====\\\\\\ V/  .---\.
.                     ~~~~~~~~~~~~, _',--/_.\  .-""-.
.                            .-""-.___` --  \|         -.__..-


Greetings folks. We're LulzSec, and welcome to Sownage. Enclosed you will
find various collections of data stolen from internal Sony networks and websites,
all of which we accessed easily and without the need for outside support or money.

We recently broke into SonyPictures.com and compromised over 1,000,000 users' 
personal information, including passwords, email addresses, home addresses, 
dates of birth, and all Sony opt-in data associated with their accounts. 
Among other things, we also compromised all admin details of Sony Pictures 
(including passwords) along with 75,000 "music codes" and 3.5 million "music coupons".

Due to a lack of resource on our part (The Lulz Boat needs additional funding!) 
we were unable to fully copy all of this information, however we have samples 
for you in our files to prove its authenticity. In theory we could have taken
every last bit of information, but it would have taken several more weeks.

Our goal here is not to come across as master hackers, hence what we're about 
to reveal: SonyPictures.com was owned by a very simple SQL injection, one of 
the most primitive and common vulnerabilities, as we should all know by now. 
From a single injection, we accessed EVERYTHING. Why do you put such faith in 
a company that allows itself to become open to these simple attacks?

What's worse is that every bit of data we took wasn't encrypted. Sony stored
over 1,000,000 passwords of its customers in plaintext, which means it's just
a matter of taking it. This is disgraceful and insecure: they were asking for it.

This is an embarrassment to Sony; the SQLi link is provided in our file contents, 
and we invite anyone with the balls to check for themselves that what we say
is true. You may even want to plunder those 3.5 million coupons while you can.

Included in our collection are databases from Sony BMG Belgium & Netherlands.
These also contain varied assortments of Sony user and staffer information.


This means that:

  • the dates of birth
  • addresses
  • emails addresses
  • full names
  • passwords
  • user IDs
  • phone numbers

of SONY’s users are now out in the open FOREVER.

The Coalition is trying to shift the burden of securing the massive databases they are eager to construct on to the credit card vendors, but this will not work to make anything secure, as we have told you before.

You do not need to collect this sort of data to run a government. Governments ran quite efficiently without needing computer databases, and in fact, the very earliest instances where one was used, it was used for a bad purpose.

ID Cards are a bad thing. There is nothing good about them, they are not needed to run anything, they enslave the people who are forced to use them and all plans to implement them should be abandoned permanently.

Databases of people’s private details are always a risky proposition. If you do not need to hold a person’s personal data to do your business, you should delete that data, or give the customer the power to delete her data from your system. When you do store that data, you should expect that it will be copied, and plan from the beginning to hold as little as is necessary, and when you do hold something, make sure that it is stored using best practice methods.

What this breach demonstrates is that databases are very dangerous things. Every time something like this happens, the propositon of creating databases of people becomes less attractive… and that is a very good thing.

Leave a Reply

You must be logged in to post a comment.