Thousands Of Sony Passwords Stored In Directory Called “Password”
Sony’s corporate security leaves much to be desired:
Yesterday afternoon, the hackers behind the massive Sony corporate data hack released a new trove of documents, and it appears that things are only going to get worse for the victim of the most embarrassing and all-encompassing hack of internal corporate data ever made public.
Included in the newest data dump is a file directory titled “Password,” which includes 139 Word documents, Excel spreadsheets, zip files, and PDFs containing thousands of passwords to Sony Pictures’ internal computers, social media accounts, and web services accounts. Most of the files are plainly labeled with titles like “password list.xls” or “YouTube login passwords.xlsx.”
One file BuzzFeed News found included hundreds of clearly labeled Facebook, MySpace, YouTube, and Twitter usernames and passwords for major motion picture social accounts.
Though some passwords appear to be assigned to individual employees and don’t include passwords, a number of the passwords to the social media accounts for major films like Ghostbusters, The Social Network, and Easy A appear to be poorly constructed and are not alphanumerical.
The leak includes usernames and passwords for several corporate news and research services, including Lexis/Nexis and Bloomberg. All told, these subscriptions combined run to tens of thousands of dollars a month.
There are also passwords for servers and collaboration services.
(…)
For Sony, this type of security infrastructure is not only highly dangerous but also embarrassing. One of the first and oldest rules of password management and security strongly cautions that users never write down password information.
Perhaps most troubling, though, is the prevalence of personal passwords: Amazon, American Express, AIM, Google, and Fidelity passwords that have nothing to do with Sony corporate business have been swept up in the corporate leak.
Don’t worry about Sony’s really big secrets, though. Those are all secured using a super-secret password consistent of the name of the CEO’s cat and three numbers that definitely aren’t 1-2-3.
Another amusing corporate fail are the codes for virtual meetings, where cameras and mikes are present in super-secret conference rooms. The login codes are sent securely to the participants, but if they email to another account, or to a buddy, hackers can sweep up the codes and login to the conference themselves, or (worse), it’s a permanent code, so they can ‘attend’ any meeting they like.
But…. It works so well for my mother!
What was that comment? “people put bars on their windows and triple-locked doors on the front, then leave the back door open with a sign saying “I left all my money in the box on the desk””