Just after restarting its PlayStation Store and announcing its new Vita handheld, Sony has posted a statement on its website confirming that the security breach claimed by the hacker group LulzSec on its pictures and entertainment website was authentic.
LulzSec's attack was reported as happening late last week. It garnered widespread attention after the hacking collective posted the personal information of sonypictures.com users on its website.
The group claimed responsibility through subsequent posts on its Twitter page and website.
"1,000,000+ unencrypted users, unencrypted admin accounts, government and military passwords saved in plaintext. #PSN compromised. @Sony" read a post on the group's Twitter page.
The groups went on to explain its motivation in a statement release on its website entitled "Sownage":
"Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now.
"From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"
The post continued, "What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it."
Sony's recent response
Sony only today released an official statement clarifying the authenticity of LulzSec's claims.
The statement entitled, "Sonypictures.com data security incident" clarified that its website had indeed been hacked:
"On June 2, 2011, we learned we were the target of a cyberattack when a hacker claimed that he had recently broken into sonypictures.com. Upon learning of this cyberattack, our team retained outside experts to conduct an investigation and forensic analysis."
The statement continued, "We are continuing to investigate the details of this cyberattack; however, we believe that one or more unauthorized persons may have obtained some or all of the following information that you may have provided to us in connection with certain promotions or sweepstakes: name, address, email address, telephone number, gender, date of birth, and website password and user name."
Unlike LulzSec's claims of taking 1,000,000 users details, in its statement Sony declared that only 37,500 of the website's users, "may have had some personally identifiable information stolen during the recent attack on sonypictures.com".
Sony also issued an apology to consumers, "We greatly appreciate your patience, understanding and goodwill as we work to resolve these issues quickly and efficiently".
The company also promised that no credit or debit card information was lost in the hack.
Since its first hack, LulzSec has claimed responsibility for yet more successful attacks. Sony is still yet to confirm or deny these subsequent claims.