Sony admits LulzSec attack, calls in the Feds

Sony Pictures Entertainment has issued a statement blaming "a group of criminal hackers known as 'LulzSec'" for attacking its web sites.

In the statement signed by chairman and CEO Michael Lynton and co-chairman Amy Pascal, Sony said the "cybercrime wave that has affected Sony companies and a number of government agencies, businesses and individuals in recent months has hit Sony Pictures as well."

LulzSec previously claimed it had penetrated databases attached to sonypictures.com, sonybmg.be and sonybmg.nl.

The bunch of hackers said they got hold of more than a million passwords. "Every bit of data we took wasn't encrypted, they said. "Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it."

"They were asking for it," LulzSec's 'pretentious press statement' read.

Sony "confirmed that a breach has occurred and have taken action to protect against further intrusion". It said a "respected team of outside experts" was looking into the matter

Sony also contacted the U.S. Federal Bureau of Investigation to get help "in the identification and apprehension of those responsible for this crime."

Sony has come under criticism for its lax security. Aziz Maakaroun, business development director at security firm Outpost24, critcised the Japanese giant, saying: “Yet another successful attack on Sony raises serious questions about the organisation’s security. What is particularly shocking here is that this hack utilised one of the oldest tricks in the book, an SQL injection vulnerability. Not only are SQL injections one of the most common and well known threats on the web, they are also one of the most easily protected against."

Sony apologised to its customers "for any inconvenience caused to consumers by this cybercrime," but has failed to divulge more information on the attack.