Trove of Sony financial data, passwords, movies leaked online

The Sony Pictures hack, which took place on November 24 and led to the shutdown of the studio’s entire computer network, unfurls still. This week, hackers anonymously posted personal details of Sony employees – including social security numbers and the salary information for top executives – and copies of four unreleased Sony movies, including “Annie,” which is not scheduled for wide release until close to Christmas.

Then, on Thursday, documents containing thousands of passwords to Sony computers, social media accounts, credit cards, and Web services, were leaked as well.

Sony Pictures is in full damage-control mode. The studio has reset its network and regained control of its sites, and is working with the FBI and security company FireEye to figure out what happened and how to prevent future attacks.

But the scale of the breach is staggering: 40 gigabytes of Sony data have already been posted online, and Guardians of Peace, the hacker group claiming responsibility for the attack, says that's a tiny fraction of the 100 terabytes (100,000 gigabytes) of information it nabbed. (According to Newsweek, the reason the rest of the data hasn’t appeared online yet is because the hackers don’t yet know how to share such a large amount of data.)

Many news reports have speculated that North Korea might have played a role in the hack as payback for “The Interview,” an upcoming Sony comedy starring James Franco and Seth Rogen as journalists who are given an assignment by the CIA to assassinate North Korean leader Kim Jong-Un. In June, the North Korean government said the movie’s release would be an “act of war,” and threatened a “resolute and merciless” response against the US if “The Interview” wasn’t banned.

But an anonymous North Korean diplomat denied that his country had anything to do with the Sony Pictures hack, telling the Voice of America that North Korea is “follow[ing] international norms banning hacking and piracy.” Sam Kassoumeh, the chief executive of analytics company ScoreCard, speculated in a phone conversation with Ars Technica that one or more Sony employees might have enabled the hack to happen, possibly in retaliation for layoffs the company made earlier this year.

The leaked passwords show that Sony Pictures could take its internal data security a little more seriously. Many of the passwords are stored unencrypted in Excel spreadsheets and Word files with names like “password list.xls.” BuzzFeed reports that many of the passwords were common words with numbers added to the end – precisely the kind of weak password security experts warn us not to use.

Since the hack, Sony Pictures has secured its accounts – and presumably tightened its password policies – but there’s no telling what other sensitive information the hackers gained that could still be published online.