ForHacSec

In what seems to be a neverending nightmare it appears that the website of Sony BMG in Greece has been hacked and information dumped.

An anonymous poster has uploaded a user database to pastebin.com, including the usernames, real names and email addresses of users registered on SonyMusic.gr.

The data posted appears to be incomplete as it claims to include passwords, telephone numbers and other data that is either missing or bogus.

As was mentioned by Sophos’s Naked Secrity podcast (Sophos Security Chet Chat 59) at the beginning of the May, it is nearly impossible to run a totally secure web presence, especially when you are the size of Sony. As long as it is popular within the hacker community to expose Sony’s flaws, we are likely to continue seeing successful attacks against them.

It appears someone used an automated SQL injection tool to find this flaw. It’s not something that requires a particularly skillful attacker, but simply the diligence to comb through Sony website after website until a security flaw is found.

While it’s cruel to kick someone while they’re down, when this is over, Sony may end up being one of the most secure web assets on the net.

If you are a user of SonyMusic.gr, it is highly recommended that you reset your password. Expect that any information you entered when creating your account may be in the hands of someone with malicious intent, and keep a close eye out for phishing attacks.

Update: The editors of The Hacker News have contacted Naked Security at Sophos and indicated they were the source of the post to pastebin.com. The original hackers had contacted them with the dump.