Update: Sony Ericsson online store, Sony BMG Japan hacked
Attacks mount as hacker group says it looks to embarrass Sony
Computerworld - Sony Ericsson Canada today confirmed that it was hit by a security breach that allowed about 2,000 customer records, including first name, last name, email addresses and the hash of encrypted passwords to be illegally accessed.
No additional personal or credit card information was compromised, the company said in a statement to the IDG News Service this afternoon.
Earlier today, The Hacker News (THN) had reported that it received a tip from a Lebanese hacker who had breached the site and accessed email addresses, passwords and names of thousands of users of Ericsson's Eshop online store in Canada. The information was then posted on Pastebin.com.
The Ericsson breach is one of two reported today. According to THN, another group called LulzSec accessed a database used by Sony BMG Japan and posted its contents -- minus usernames and other personal information -- on Pastebin.com
Lulz Sec also claimed to the Hacker News site that it has discovered more vulnerable Sony BMG databases. The news site posted links to two pages on Sony Music's Japanese Web site that it said contain the SQL injection vulnerabilities used to break into the Sony database.
Sony did not respond to requests for comment on the reported hacks.
Chester Wisniewski, senior advisor at security firm Sophos, said it isn't clear whether the hackers could inject data into the vulnerable Sony BMG Japan database or simply access its contents. "If they are able to alter the records, this could be used to insert malicious code that could be used to compromise people browsing the [Sony BMG Japan] site," Wisniewski wrote in a blog post today.
The latest attacks were said by the Hacker News to be enabled by SQL injection flaws on Sony websites.
THN editor Mohit Kumar told Computerworld in an email that the Sony Pictures' site in Japan may have also fallen victim to a hacker attack, while another of the company's sites in Europe contains the same flaw that allowed hackers to break into the other Sony sites. That site has not been reported as being hacked, but hacker groups are actively discussing breaking into it, he claimed.
The recent breaches appear to be attempts to humiliate Sony.
"This isn't a 1337 h4x0r (elite hacker in Leetspeak)," Lulz Sec noted in a message posted on Hacker News. "We just want to embarrass Sony some more. Can this be hack number 8? 7 and a half," the message noted in apparent reference to the series of recent intrusions at Sony.
Sony sites have been hacked several times in several weeks, which analysts say shows that the company's online networks are very porous.
- Hackers steal user data from the European Central Bank website, demand money
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts