Archive

Archive for the ‘Sony Breaches’ Category

Sony Data Breach Timeline


In an effort to keep things straight in my head, it made sense to create a timeline of the Sony data breaches (and near data breaches) which were reported either by Sony or by the individuals themselves. This chronology is primarily the attacks which resulted in data loss pieced together by different news sources and not any of the other events in the timeline, such as PSN coming back online. If you find something that’s in need of being updated, please send me an email through this blog.

Hopefully Sony will get their security straightened out in time before the next attack occurs.

Date
(2011)
Sony Business Unit

Credit
(or suspect)

Details
1 April 17th
Sony PlayStation Network/Qriocity Anonymous
Anonymous
2 May 2nd
Sony Online Entertainment
3 May 5th
Sony Electronics, Inc. Sony
Sony Electronics, Inc.
  • The Hacker News coverage of this data breach, which doesn’t look like a hack attack, explains how this is negligence. Using a Google search for on “site:products.sel.sony.com filetype:xls” resulted in access to an Excel spreadsheet containing 2,500 pieces of user data. As the THN puts it “Huh, is this called Hacking ????” Well said. It’s called searching.
  • Naked Security Blog Posting
4 May 17th
Sony PlayStation Network/Qriocity
  • The Hacker News coverage of this attack explains that it’s not a true hack, simply reuse of already exposed user data.
5 May 20th
Sony Thailand
  • No public claim has been found for this attack.
  • In this attack a phishing website was setup targeting an Italian credit card company on the Sony Thailand web server. I couldn’t find any definitive quantity of lost user data, but it’s safe to say there’s a high probability of a breach. Magnitude unknown, nonetheless, a breach.
  • source from Digital Trends posting
6 May 21st
So-net Entertainment
  • No public claim has been found for this attack.
  • Computer World reported that So-net, an ISP subsidiary of Sony, had a breach of about $1,200 virtual tokens by the intruder redeeming 130 accounts. In addition, 73 accounts were breached, but not redeemed, and 90 e-mail accounts were compromised.
7 May 21st
Sony Music Indonesia Defaced k4L0ng666
  • While no actual data was taken during this defacement, it existing in the timeline.
  • The Hacker News report on this defacement.
8 May 22nd
Sony BMG Greece b4d_vipera
9 May 23rd Sony Music Japan Lulz SecurityLulzSec
10 May 24th Sony Ericson
(Canada)
idahc_hackeridahc_hacker
11 June 2nd Sony Pictures Lulz Security
LulzSec
  • Lulz Security made is very clear they were behind this data breach. They broadcasted their activities under operation “Sownage” which is a pun on ‘Sony’ + ‘ownage’. The most disturbing aspect of this is that Sony didn’t use any obfuscation/hashing/encryption on the passwords.
  • “Over 1,000,000 users’ passwords, email addresses, home addresses, dates of birth, as well as administrator login passwords acquired by hackers ”
    (source DATALOSSdb ID: 3790)
  • This incident 3790 also includes data from Sony BMG Belgium and Sony BMG Netherlands.
  • Naked Security blog posting
12 June 3rd Sony Europe idahc_hacker
idahc_hacker
  • Idahc was at it again using another simple SQL Injection method to gain unauthorized access to 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.
  • Naked Security blog posting
13 June 5th Sony Pictures Russia
  • An undisclosed group or individual used another simple SQL Injection method to gain unauthorized access. Extent of the data breach is still undetermined. This could have possibly been an upstart hacking club testing the waters and their salt.
  • Data loss included the database structure of the cosmocard_1 catalog.
  • Naked Security blog posting
14 June 6th Sony CED Network Lulz SecurityLulzSec
  • In a couple of tweets LulzSec presented Sony Computer Entertainment Development Network source code out into the wild. SQL Injection method to gain unauthorized access to 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.
  • Via mediafire.com they shared the source code in a 58MB download in the form of a torrent.
  • The Hacker News coverage
15 June 6th Sony BMG Music NA Lulz SecurityLulzSec
  • In the same torrent made available on mediafire.com, Lulz Security made publicly available Sony BMG internal network diagrams.
  • The network diagrams included a great deal of detail about the Sony BMG Music network. Unfortunately for the author, Shawn Gyorfy, it included his name. I like to take pride in my work as well, but not when it’s labelled ‘INTERNAL USE ONLY’ for the world to read. In addition to the diagrams, there were PDFs which included hub sites, router IDs, Circuit IDs, IP addresses, site contact names and phone numbers, VLAN information, networking product make, model, hostname and management IP address.
  • The Hacker News coverage
16 June 8th Sony BMG Music Portugal idahc_hacker
idahc_hacker
  • Idahc the Lebanese hacker in a pastebin post declared that he or she is not a black hat hacker, but a gray hat. Idahc backed this statement up by only dumping Sony customer’s email addresses and not the entire database.
  • The attack was conducted by exploiting 3 flaws in the Sony web site, which were 1) SQL injection, 2) XSS and 3) iFrame injection.
  • Naked Security blog post
17 June 8th The Sony Marketing Co.
  • This is from the Sony Japan web site:
  • The Sony marketing company, to dawn on June 8, “spoofing” occurs for unauthorized access attempts by a third party e-mail address and password, and Sonisutoa earn by shopping for Sony products in Sony ” “point, and we found that there is a possibility that the exchange coupon and shopping available in Sonisutoa.
    We have so minimize the damage done to the following measures.
    The evidence of leakage of personal information including email address and password from us is not confirmed.
    The situation, apologize for the inconvenience and worries that your customers and everyone in between.
  • Number of potential email addresses used to exchange illegal exchange status by fraud masquerading Sony Points ■: Number of points that were considered illegal to exchange coupons shopping 278,000 95 points (about 280,000 yen worth)
18 June 19th Sony Pictures France idahc_hacker
idahc_hacker
  • Idahc the Lebanese hacker did a duet with his French friend Auth3ntiq on Sony Pictures France. In a pastebin post declared again that they are not black hat hackers. Possibly in a ruch but this time they didn’t state that they are gray hat hackers.
  • Using another SQLi, the data breach included the /etc/passwd file dump and a snippet of “emails found : 177172”.
%d bloggers like this: