The worst part of the recent, humiliating leak of Sony Pictures' servers isn't the hack itself, but how shamefully easy they made it. A new release by the (yet unidentified) hackers, obtained by Gawker, shows just how little Sony cared for the privacy of its people.
In a small file titled "Bonus.rar," hackers included a folder named "Password." It's exactly what it sounds like: 140 files containing thousands upon thousands of private passwords, virtually all of them stored in plaintext documents without protection of any kind.
Some seem personal in nature ("karrie's Passwords.xls") while others are wider in scope ("YouTube login passwords.xls"). Many are tied to financial accounts like American Express, while others provide access to corporate voicemail accounts or internal servers, and come conveniently paired with full names, addresses, phone numbers, and emails.
A security researcher I spoke with, who requested to go unnamed, explained just how bad this is (very bad):
It's pretty common, I've seen, for large non-progressive organizations (older software dev shops, finance places) to have precariously old ways of thinking - like that "their firewall will save them".
I'm working on a client gig now with a financial organization that is literally vulnerable to exactly the same thing - huge, wide open, company-wide fileshares, where if some bad guy got a hold of access, they could just exfiltrate terabytes of data.
Passwords in plaintext? These guys are pretty bad - I don't think I've ever encountered this before. What's the point of using common password storage/hashing techniques if your staff is keeping all your passwords in plain text on open fileshares?
Shit, why bother having locks on the doors at all?
One software developer I spoke with (anonymously) who's also sifting through the leaks was stunned by Sony's lapse:
Sony's password security is, in a word, awful (although you've probably seen that from the archive!). There's several plaintext password files for both corporate accounts and employee's personal accounts. A lot of credentials for critical systems are stored in plaintext - haven't learnt from PSN hack in 2011 in that regard. A particularly good example of this is Password/Social Password Log.xlsx, which contains - you guessed it - the username and password for a lot of Sony's social media accounts.
"I'm not looking through for any nefarious purposes," he added, "just trying to figure out how on earth they managed to screw up this badly."