Hackers from Lulz Security ("LulzSec") broke into Sony Pictures servers, grabbed one million user accounts and plaintext passwords, then released a large sample of this data online yesterday. The data set seen by Ars Technica included names, home addresses, passwords, and e-mail addresses—perfect for malicious exploitation, since many people reuse passwords on multiple accounts. To make matters worse, the sample that LulzSec released contained data almost exclusively on (allegedly) elderly users born in the 1920s, '30s, and '40s.
According to LulzSec, hacks using the data have already begun—but don't blame them! Releasing all these e-mail addresses and passwords was Sony's fault.
"I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere," the group wrote this morning on its Twitter account. "Hey innocent people whose data we leaked: blame @Sony."
At least some of the leaked data does appear to be accurate. We cross-checked multiple addresses in the data release with US government property records and phone records; they match the listed surnames and phone numbers, and the leaked e-mail address in turn tend to mirror the names (often including sections of the name in question, for instance). The Associated Press called around and also confirmed the accuracy of some of the leaked data. But other entries in the database are quite clearly bogus—perhaps reflecting Sony contest entrants who didn't want to provide too much personal detail or were under the legal age to enter.
This angered some people, like Twitter user H0lyPuma. "Alright @LulzSec there was no reason to publish the user accounts. hack all you want, but why punish the user? what did they do wrong?" he asked. "There is no way to justify distributing user accounts. This could fuck these people up for a long time."
Not that LulzSec cares. Its mascot wears a monocle and hoists a glass of wine in a rakish manner; its Twitter feed tells people, "You sir are sorely deluded if you think we're whitehat" and describes the group as "a team of entertainment and security experts that specialise in the production of malicious comedic cybermaterials."
In the group's IRC chatroom, the same lulz-loving, responsibility-free attitude prevails. When reporter Nick Deleon showed up to request an interview this morning, he got this:
[Reporter]: hi folks. so this is going to sound silly, but i'm
a reporter (the daily, the new ipad newspaper-thing) in new york
and i'm wondering if anyone here would like to talk about
the sony situation
[LulzSec member]: sure. in which hole of yours would you
prefer i stick my penis?
[Reporter]: if i have a choice in the matter, no hole would be preferable
The group even has a jolly pirate song, familiar to those who grew up watching Loveboat.
Lulz, exciting and new, come aboard, we're expecting you. Lulz, life's sweetest reward, let it flow, it floats back to you. The Lulz Boat soon will be making another run The Lulz Boat promises something for everyone. Set a course for adventure, your mind on a new romance. Lulz won't hurt anymore, it's an open smile on a friendly shore. Yes LULZ! Welcome aboard: it's LULZ!
And so the Lulz Boat sails on. In its chat room, group members probe various government websites looking for common security flaws (the Sony Pictures hack used a basic SQL injection), joke about being Aaron Barr, and compare notes on obfuscating IP addresses. Apart from Twitter, however, the group has far less interest in chatting with reporters.
"Pl0x dont post all teh sploits [exploits] on your report k?" one LulzSec user told Deleon. "And we won't use your DNS against you ;)"
"Gtfo, fucking media bullshit," added another.
"Lol. A reporter," added a third. "The twitter is all you're getting."
Listing image by Photo illustration by Aurich Lawson
reader comments
164