It’s been a really rough time for Sony. I have a hunch that in the past month “Sony CTO” has leapt past toilet cleaner on the list of least desirable jobs. Last month there was the massive Sony PlayStation/Qriocity breach that leaked more data than a Wall Street ticker leaks stock prices. Then a Sony subsidiary in Japan called So-Net was hacked. Next comes word from Naked Security that Sony BMG in Greece has been hacked. Are all of these unrelated? Is there cause for you to be concerned?

If you are responsible for security at a significantly sized company and haven’t forced a companywide password change since the PlayStation breach you probably better go sit down on the toilet before you read the rest of this.

I don’t know if the So-Net and BMG hacks were directly related to the PlayStation hack, but I can tell you that many people use the same passwords for multiple web sites. This means that if I have the stolen data from Sony’s PlayStation breach, I can start mining for corporate access. Do you think that employees of So-Net and BMG might just happen to also use PlayStation? Their email addresses also might just reveal where they work. If you want to play the ponies then place a bet on same password different account. That means if a user’s email address was “@sony.com”, or any other Sony property, anyone with the stolen data has a great starting place to try to obtain authenticated corporate access. I certainly hope that EVERY Sony employee and employee of Sony subsidiaries has been forced to change their passwords recently!

Now the bad news for the rest of us… if the user’s email address was @eset.com, then an attacker can try to access the ESET network and hope that the password in the database is the same. I hope our employees know better, but I wouldn’t bet on anyone who knows better not making the mistake. If any of your users used their company email address to register with Sony, then you probably are at risk as well. Even if they didn’t use their work address, if their Facebook or other web facing information makes it easy to identify where they work then there is an elevated degree of risk.

There was a whole lot more valuable information in the data breach than access to PlayStation and Qriocity accounts, there was access to email accounts, social networking accounts, and corporate accounts when users chose to use the same password everywhere.

If you are responsible for IT at your company and haven’t forced a password change since the PlayStation breach, as soon as you are done on the toilet, you might want to make a mandatory password change your next item of business.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America