In very troubling news it appears that Sony has been hacked again. This time a group that calls themselves “Lulz Security” claims that not only was the database breached by using a simple SQL injection attack but also that the passwords were stored in plain text. If this is true, storing the passwords in plain text was nothing short of negligent. Lulz claims to have obtained email addresses, home addresses, dates of birth, and all Sony opt-in data associated with the accounts as well as all admin details of Sony Pictures, including passwords, 75,000 "music codes" and 3.5 million "music coupons". Lulz claims to have posted 50,000 records on the net and Engadget confirms downloading the file, but cautions that they do not know if the data is real. Unfortunately, unless they contact the victims there is no legal way to find out if it is real data.

The music codes and coupons are trivial compared to the personal data. If you have ever had an account with Sony anywhere and had to create a password, it would be an exceptionally brilliant idea to make sure you are not using the same password anywhere else. Additionally you probably need to change your password challenge answers on other web sites. Password challenge questions are the “security questions” the site would use if you forgot your password. The danger is that if your email, social networking, bank, or other account uses the same questions then the answers are now exposed.

I highly recommend using incorrect answers to the challenge questions. Often the correct answers exist somewhere on the net or are easily obtained. If I “befriend” you on Facebook, start talking to you about cars and then ask what your first car was, you probably aren’t going to be thinking “He’s after my challenge question”. The one problem is that there are an infinite number of incorrect answers and you have to remember which incorrect answer you chose. This is where password management programs really shine. I like Password Corral, other people I know like Roboform and Lastpass.com. Paul Laudanski has recently blogged about passwords and includes other password managers.

If you have a Sony account anywhere, it’s well past time to change your password reset answers everywhere. If you used your Sony password anywhere else, change your passwords everywhere and don’t use the same one at other sites. With a password management program you don’t need to use the same password at more than one site.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America