Thousands Of Sony Passwords Stored In Directory Called “Password”
Sony’s corporate security leaves much to be desired:
Yesterday afternoon, the hackers behind the massive Sony corporate data hack released a new trove of documents, and it appears that things are only going to get worse for the victim of the most embarrassing and all-encompassing hack of internal corporate data ever made public.
Included in the newest data dump is a file directory titled “Password,” which includes 139 Word documents, Excel spreadsheets, zip files, and PDFs containing thousands of passwords to Sony Pictures’ internal computers, social media accounts, and web services accounts. Most of the files are plainly labeled with titles like “password list.xls” or “YouTube login passwords.xlsx.”
One file BuzzFeed News found included hundreds of clearly labeled Facebook, MySpace, YouTube, and Twitter usernames and passwords for major motion picture social accounts.
Though some passwords appear to be assigned to individual employees and don’t include passwords, a number of the passwords to the social media accounts for major films like Ghostbusters, The Social Network, and Easy A appear to be poorly constructed and are not alphanumerical.
The leak includes usernames and passwords for several corporate news and research services, including Lexis/Nexis and Bloomberg. All told, these subscriptions combined run to tens of thousands of dollars a month.
There are also passwords for servers and collaboration services.
For Sony, this type of security infrastructure is not only highly dangerous but also embarrassing. One of the first and oldest rules of password management and security strongly cautions that users never write down password information.
Perhaps most troubling, though, is the prevalence of personal passwords: Amazon, American Express, AIM, Google, and Fidelity passwords that have nothing to do with Sony corporate business have been swept up in the corporate leak.
Don’t worry about Sony’s really big secrets, though. Those are all secured using a super-secret password consistent of the name of the CEO’s cat and three numbers that definitely aren’t 1-2-3.