When it rains for Sony, it pours for Sony. And it seems that Sony is currently caught in a deluge: A hurricane of hacks, if you will. The thirteenth hack on a Sony database has been reported by Sophos' Naked Security blog, allegedly netting a single hacker 120 user names, passwords, mobile phone numbers, work emails, and websites from a user database on Sony Europe's site.
The attacker, dubbed "Idahc," claims to have used a standard SQL injection attack to get his hands on the database, which he promptly released to the world via Pastebin document. The passwords were allegedly stored as plain text within Sony's database, a pretty big no-no as far as the world of enterprise security is concerned.
"If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities," wrote Sophos' Chester Wisniewski.
The pseudonym "Idahc" might sound familiar. It should: The Lebanese attacker is the same person who recently broke into Sony Ericsson's Canadian e-commerce site. This breach in a Sony site or server–the fifth, for those keeping score at home–was also the result of an SQL injection hack.
Idahc also posted the results of his Sony Ericsson hack to a Pastebin document, which included password hashes, email addresses, and the full names of the users connected to the accounts. Idahc also claimed that he had found additional databases with even more juicy details, including user credit card and telephone numbers, but he did not share these publicly.
But that's not the only silver lining to the recent Sony attacks. If you're a Sony user—specifically, a subscriber to Sony's PlayStation Network during the service's extended outage–you can at least enjoy the news of Sony's ongoing hacker issues alongside your brand-new free games.