Sony Ericsson acknowledges Canadian e-commerce site hacked

Sony Ericsson logoSony has been hacked for the fifth time in four days. This time a vulnerability was discovered in the Canadian e-commerce site for their mobile phone division, Sony Ericsson.

The purported attacker, @idahc_hacker, describes himself as a “Lebanese grey hat hacker.” Early this morning Pacific time in Canada he posted a database to containing password hashes, email addresses and full names.

@idahc_hacker is now claiming to have discovered additional databases besides the one he posted to pastebin that may contain credit card numbers, telephone numbers, discount coupons and the administrator’s username and password.

I did some checking on the password hashes and they do not appear to be easily recovered MD5 or SHA1 hashes. Hopefully Sony has salted them to make it more difficult for them to be recovered.

A Sony Ericsson spokesperson, Ivette Lopez Sisniega, acknowledged the attack to Bob McMillan from IDG. She explained that “Sony Ericsson has disabled this e-commerce website.”

SQL attack against Sony Ericsson

From a screenshot obtained from The Hacker News it is apparent that the SQL injection attack used to compromise the site was similar to the recent attacks on Sony sites in Greece and Japan.

This is the first time a partner company to Sony has been targeted in the ongoing attacks against their brand. Looking at the attacks over the past few weeks it is clear that they are not being centrally coordinated; rather they seem to be opportunistic from those angry with Sony over the lawsuit against George Hotz.

Some have commented that this is nothing more than a thorough-but-free penetration test. It is nothing close to free… Sony’s market cap is down over $2 billion on the New York Stock Exchange.