Sony Admits Canadian Site Hacked, Thousands of Records Stolen

  • Share
  • Read Later

Down, down, to offline town: Sony says it’s shuttered online services in Canada, Indonesia, and Thailand this morning after detecting a ne’er-do-well on the (virtual) premises. This, after a 26-day PlayStation Network outage, followed by a veritable spree of copycat hacks.

Poor Sony, the world’s biggest cyber-pincushion. Every time I spy a “hacked again” headline, I think “must be recycled news, they weren’t really.” But yep, they were, and they’re even the ones out in front confirming it.

The bad news this time has to do with a self-styled “Lebanese grey hat hacker” who was apparently able to pry open the Canadian version of Sony Ericsson’s official online eShop and make off with some 2,000 customer records, including names, email addresses, and hashed passwords. The hacker’s already posted nearly 1,000 of the records online.

What’s a “grey hat hacker”? Glad you asked, because I wasn’t sure either. According to Wikipedia, it refers to someone who’s hacking—sometimes illegally—”in good will,” the idea being to reveal deficiencies in a system (and force improvement). Never mind the shady bits where this particular hacker gets any good intentions all twisted around by posting sensitive personal information online instead of simply sending a discreet courtesy warning about the exploit to Sony. 15 minutes of fame > responsible divulgence, I guess.

How’d the hacker pull it off? By exploiting something called a “SQL injection flaw,” reports PC World. Let’s translate: basically a database security vulnerability that allows someone to “trick” the application into executing stuff it shouldn’t. Sophos says the attacks resemble recent ones employed against Sony BMG sites in Greece and Japan. Sony’s been under fire since it targeted hacker George Hotz for “jailbreaking” the PlayStation 3 and posting its root key on his personal site earlier this year.

And it may get worse. Bloomberg cites a Sony rep as stating the hacked site in Thailand may have been tweaked to commit email fraud, and security tracker Sophos reports the hacker claims he accessed other databases that included credit card numbers and admin login credentials.

One analyst told Bloomberg the situation was “getting very serious,” and that what began as game-related recrimination by hacktivists has morphed into an all-out attack on Sony’s international businesses, adding that “it may take significantly longer than expected for Sony to get over this.”

This whole “revenge hacktivism” phenom’s getting mighty pricey for Sony. Analysts originally estimated the attack would cost the company no more than $50 million. That number then shot up (in an official capacity) to over $170 million. Maybe that’s still putting it politely: as Sophos notes, Sony’s market cap is currently down over $2 billion on the New York Stock Exchange.