Sony was hacked again Thursday — this time through its Sony Pictures Entertainment and Sony BMG — resulting in the breach of about a million usernames and passwords.
This time, the group that took the information wasn’t sneaking off quietly with the information. In fact, the hacking group, called LulzSec, is using every tool at its disposal to make a point.
“This is disgraceful and insecure: they were asking for it,” the group wrote in a release on its site.
Those kinds of comments raise an interesting question: Who should be to blame when these kinds of attacks happen?
A lot of the criticism Sony faced after its high-profile PlayStation Network and Qriocity hacks was over the way it handled communication in the wake of the attacks.
Subsequent attacks, however, have changed the main consumer concern. Now people are asking: Why is it so easy to get information from Sony, anyway?
LulzSec said that this attack wasn’t difficult to pull off. The group said it only took a single SQL injection — which puts malicious code into a SQL database in order to make it do things that it wouldn’t otherwise be doing — to gain access to database information.
Sony simply should have provided better protection for its consumers. The information was stored in plain text and clearly easy to attain for anybody looking to access it with minimal effort.
Hemu Nigam, an online security expert, said that if a company is hit with an SQL injection, it probably isn’t following some basic security protocols.
The best thing for Sony to do, Nigam said, is to “go heads down” and focus on fixing the problems in their system.
“It’s like changing the locks on every window and door of your house,” he said.
That isn’t to say that the hackers shouldn’t be held accountable for their actions, even when they’re trying to prove a point. Even LulzSec isn’t saying that they’re good guys here, telling one reader that he is “sorely deluded if you think we’re white hat.”
But it’s hard to deny that LulzSec has exposed a serious consumer concern with these attacks and that Sony has some explaining to do.
Nigam said that Sony’s public statements about the strength of their security may be hurting them, as hackers consider such statements to be a direct challenge.
“I think Sony has great intentions but they have a lot cleaning up to do,” he said. “And the hackers are not giving them that time.”
Looking at the list of passwords and usernames brings up another point worth mentioning.
Many of the passwords posted were, by and large, dictionary words or easy-to-guess phrases such as “123456.” While a strong password wouldn’t have helped in this kind of attack, users who make their passwords that easy to guess aren’t doing themselves any favors. Mixing up letters and numbers and shying away from real words will help shield you from hackers trying to guess your information.
And, as always, if you’ve been hacked, you should change your password with Sony immediately, as well as any other accounts with a common password.
Who do you think should take the blame for these attacks?