Sony has been hacked again.  LulzSec, the group that previously hacked PBS, claimed credit.  Sony hasn’t denied or confirmed that it was hacked.  However, there is evidence that it was indeed hacked.

One, LulzSec published tons of user data – including full names, full postal addresses, dates of birth, emails, and passwords to Sony accounts.  Two, several individuals told the Associated Press that it was indeed their data that was published.  Three, IBTimes confirmed that some of the information published was of real identities.

So who is to blame?

The obvious culprit is LulzSec, the hacker group.  After all, it illegally broke into Sony’s database, stole information on Sony users, and published that information on the entire World Wide Web.  This information is now available to scammers, hackers, and spammers.

One leak – the Sony Pictures International AutoTrader users database – was especially egregious.  It contained the date of birth, gender, phone, full postal address, full name, and email of Sony users.  Armed with all that information, it’s quite possible for scammers to assume the identity of the Sony users (i.e. commit identity theft).

However, some – including Sony users – are striking back at Sony.

They’re essentially accusing Sony of negligence.  They allege that Sony took their information, stored it in minimal security, and made it easy for hackers to access it.

LulzSec claims it hacked Sony with “a very simple SQL injection, one of the most primitive and common vulnerabilities.” With that “single injection,” LulzSec said it was able to access “everything.”

Graham Cluley, of Web security firm Sophos, said the following to the Associated Press: any website worth its salt these days should be built to withstand such attacks.”

The more astonishing part, said LulzSec, is that Sony stored all the user information in unencrypted text files.  LulzSec simply took these files and published them.

“This is disgraceful and insecure: they were asking for it,” said LulzSec.  Later, it added, “hey innocent people whose data we leaked: blame Sony.”

John Bumgarner, the chief technology officer for the U.S. Cyber Consequences Unit, told the Associated Press that passwords should “never, never, never” be left unencrypted.

Tim Rillahan, a Sony user whose data was compromised and published, told the Associated Press:

“Sony stored our passwords in plain text instead of encrypting the information. It shows little respect to us, their customers.