As if it wasn’t bad enough that Sony Pictures found itself comprehensively hacked late last year and its emails and confidential data trawled through, WikiLeaks has now made things even more uncomfortable for the firm by creating a searchable online archive of the 30,287 documents and 173,132 emails.
From his small corner of the Ecuadorian Embassy in London, WikiLeaks founder and editor-in-chief Julian Assange attempted to justify the release of the documents:
Now published in a fully searchable format The Sony Archives offer a rare insight into the inner workings of a large, secretive multinational corporation. The work publicly known from Sony is to produce entertainment; however, The Sony Archives show that behind the scenes this is an influential corporation, with ties to the White House (there are almost 100 US government email addresses in the archive), with an ability to impact laws and policies, and with connections to the US military-industrial complex.
“This archive shows the inner workings of an influential multinational corporation. It is newsworthy and at the centre of a geo-political conflict. It belongs in the public domain. WikiLeaks will ensure it stays there.”
If Sony was furious at the media for publishing information stolen by the hackers before, they’re likely to be incandescent with rage at WikiLeaks for making everything available in a searchable archive now.
It’s a shame that Assange and his WikiLeaks colleagues didn’t go to greater effort to sift through the emails to find some smoking guns that might implicate Sony Pictures as being up to no good. As it is, it’s quite a lot to trawl through.
I had a quick look and found emails from Sony staff organising birthday parties, arranging cupcake deliveries, and talking about promotional plans for movies. I’m sure there may be something more damning there too, but I’ll leave it to others to uncover.
What I did find was a lot of evidence that Sony Pictures, and its staff, were pretty lousy at following best password practices.
Hopefully since their mega-hack they’ve learnt their lesson, and changed any passwords which may have been compromised, because judging by some of the things I saw they were making schoolboy errors.
Take the following, for instance, where Sony Pictures showed it wasn’t above using some very easy-to-guess admin passwords for systems on its servers (I added the highlight):
Passwords of “password”. Passwords which are identical as the username. Passwords which are just days of the week. It makes you want to hit your head against a brick wall.
Here’s another example of a document created, I suspect, by a Sony employee. To save their embarrassment and reduce any potential risk I have obscured their username (not a measure that WikiLeaks has taken, of course):
There are many many more examples.
In fact, over 1100 of the 30,287 Sony Pictures documents in the WikiLeaks haul contain the word “password”. No doubt even more evidence of sloppy password practices could be found in the email archive too.
Who needs sophisticated password-cracking software if passwords this poor are used by staff to secure their company’s systems and accounts?
Don’t feel too smug about Sony’s discomfort - ask yourself if you are taking enough steps to secure your passwords. Does your company use strong password management software to generate complex, unique, hard-to-guess passwords?