May 24, 2011 at 8:09 AM ET
On Monday we heard that the official website for Sony BMG Greece was hacked and its databases — which include some user data — were dumped onto the Internet. Today we're hearing that Sony Music Japan suffered the same fate — and that the hackers are rubbing it in Sony's face.
Sophos reports that the attack used on Sony Music Japan was quite similar to the one used on Sony BMG Greece. Hackers were once again able to take advantage of a security vulnerability in an SQL database to access information:
The database information that was published does not contain names, passwords or other personally identifiable information. The attackers noted that there are two other databases on the site that are vulnerable and it remains unclear whether they contain sensitive information.
It isn't clear whether the hackers are able to inject data into the database, or simply access the tables and records it contains. If they are able to alter the records, this could be used to insert malicious code that could be used to compromise people browsing the site.
As with the prior attack, Hacker News seems to have been the first to catch wind of the security breach, but this time the news was also tweeted out by the individuals behind the hack.
We've mentioned before that this sort of attack doesn't require a particularly skillful attacker — much of the hard work can be done using an automated tool — and the hackers behind this security breach are enjoying calling attention to that fact:
The attackers stated in their message "This isn't a 1337 h4x0r, we just want to embarrass Sony some more."
The hackers — a group who goes by the name "LulzSec" — peppered taunts such as "stupid Sony, so very stupid" inside the data they made available online.
Unfortunately this will probably not be the last time we'll hear about a Sony security headache over the next little while.
As the drama builds — there was a massive security breach which forced the company to shut down the PlayStation Network, difficulties in restoring the game service, a security flaw in the PlayStation Network password reset feature, a phishing site hidden on Sony's servers, and ... the list goes on — it becomes increasingly more amusing for hackers to kick the company while it's down.
That sad reality aside, we find ourselves plagued by one very big question, just like Chester Wisniewsk — a senior security adviser at Sophos:
Is Sony taking security seriously or are there simply so many flaws from the past that exist in their public facing sites that it will take them a long time to patch them all?