LulzSec, the group behind the attack, originally said that one million accounts were vulnerable. The group only released the database files and logs for a portion of those users, however — a portion that was in the range of 37,000 users. More precisely, the group said that the user information for at least a million users was vulnerable because of the insecurity of Sony’s website.
Sony released a statement to theWall Street Journalnoting that “the website did not ask for any credit-card information.” Instead, the personal data that was exposed from the site included “names, genders, addresses, email addresses, phone numbers, birth dates, user account names and passwords.”
So in the grand scheme of things, last week’s attack was more of an embarrassment for Sony than a large-scale risk for registered users. If you were registered at Sony Pictures websites and your name is on the lists released by Lulzsec, you need only worry about making sure your passwords on other sites are different, and that you have a good spam filter to deal with the extra unsolicited email that is likely to result. Your credit card details are safe. Still, the episode underscores the reality of web security in the modern age. It used to be that users could feel comfortable trusting big brands like Sony, organizations that had the resources to keep things secure.
But that just isn’t the case any more. Sony has become a popular target — and for good reason, given the cataclysmic nature of the PSN breach — but it is hardly the only major company with a lax web security record. Earlier this week, LulzSecbriefly hackedinto one of Nintendo’s U.S. webservers. Although no user information was compromised and Nintendo hardened up its server configuration files, the situation was yet another example of the insecurity of the web.