I was shocked when LulzSec leaked the user information of Sony users.  There it was, allegedly the email addresses and Sony passwords of thousands of people. 

Back then in early June, I didn’t know too much about LulzSec, so I wasn’t sure if the data was for real.  So how do I verify it as a journalist?

Sony wasn’t talking at that hour, so I can’t get any confirmation from them. I decided the only thing I could do was verify the identity of the users (i.e. that these were real people). 

One of the LulzSec leaks was especially egregious because it contained the age, date of birth, full postal address, and phone number of the users.  I thought users from this database were a good start for my verification exercise.

Soon enough, I was able to verify the existence of several of them.  One elderly woman, for example, was listed in the yellow pages and had a profile at a senior dating website.

Now, I had to make an attempt at verifying the other LulzSec datasets, which only contained emails and Sony passwords.  I impulsively went ahead and decided to try the Sony passwords on the user emails.

The first one, which I picked near the top of one list, said the account had been locked because there were too many incorrect attempts. 

“So other people had the same thought that I had, although probably with different motives,” I thought to myself.

I tried another one in the middle of the list, which didn't work.  I tried a third one, which worked.

I was stunned.  Although I knew intellectually that many people recycle passwords -- so there was a good chance I’d open one of the leaked emails -- I wasn’t exactly prepared for it to actually happen.

I quickly closed out the page.

My mind was then flooded with possible scenarios.  The hijacking of Twitter accounts, Facebook accounts, LinkedIn accounts, and email accounts all seemed possible.   From there, the potential for havoc was endless.

Think about how many online accounts simply send you the password to your email upon request.  Think about how much personal information you have on your Facebook and email.  Think about all the ways people can be tricked when their “friend” asks them for money or other things through email and/or Facebook.

I then approached my editor about doing a public service email blast to warn the Sony users.  I assumed Sony didn’t do it yet (they didn’t) and that they’d be slow in doing so (they were).

I was given the go-ahead and wrote up the public service email and assembled the Sony user emails from the LulzSec leak.  However, we ultimately decided to not go through with it.

I thought that my public service email would be hidden forever. But with this article, I finally have an excuse to share it.


Subject: From International Business Times – Your Sony User Information Was Likely Compromised



Sony was likely hacked. Because you registered with a Sony website, your information was likely leaked to the World Wide Web.

The hackers leaked the following Sony databases:

Sonypictures.com AutoTrader users database

Sonypictures.com Summer of Restless Beauty users database

Sonypictures.com Seinfeld Del Boca Vista database

For Seinfeld and Summer, only the email and Sony password was leaked. For AutoTrader, the leak contained full name, full postal address, date of birth, gender, email, and Sony password.

This email batch is for the _____ users database [I planned to send out three different email blasts: one for AutoTrader, one for Summer, and one for Seinfeld].

So what should you do about your data leak?

1. If the password you gave to Sony is the same as the password you use for anything else, consider changing it immediately. This includes the password for your email account, Facebook account, Twitter Account, online banking account, etc. If the Sony password is the same as your email password, your email may already have been accessed.

2. Be wary of 'phishing emails.' If you get any email -- from sources posing as your bank, employer, local government, etc. -- asking for you to 'update' or 'supply' critical information like credit card numbers, social security numbers, passwords, etc., be careful! Since scammers now have information about you, they can pose as any number of trusted sources. However, trusted sources will almost never send you emails asking you for your critical personal information.

3. Be wary of identity theft, especially if you're in the AutoTrader group. One option is getting identity theft protection. IBTimes will not endorse any particular product, but you can easily use Google to find reputable services.

4. Be mentally prepared for spam. Your email is now published on the Web (that's how IBTimes found it). It's likely that spammers will add them to their spam mailing list. If you're in the AutoTrader group, it's possible that spammers will contact you via snail mail or telephone.


IBTimes Staff

The International Business Times is an online global business newspaper, published in thirteen editions in twelve countries across eight languages. The publication, sometimes called IBTimes, offers news, analysis and opinion on geo-politics, the global economy, markets, large and small cap companies, science and technology , and business life and culture.