Yesterday afternoon, the hackers behind the massive Sony corporate data hack released a new trove of documents, and it appears that things are only going to get worse for the victim of the most embarrassing and all-encompassing hack of internal corporate data ever made public.
Included in the newest data dump is a file directory titled "Password," which includes 139 Word documents, Excel spreadsheets, zip files, and PDFs containing thousands of passwords to Sony Pictures' internal computers, social media accounts, and web services accounts. Most of the files are plainly labeled with titles like "password list.xls" or "YouTube login passwords.xlsx."
One file BuzzFeed News found included hundreds of clearly labeled Facebook, MySpace, YouTube, and Twitter usernames and passwords for major motion picture social accounts.
Though some passwords appear to be assigned to individual employees and don't include passwords, a number of the passwords to the social media accounts for major films like Ghostbusters, The Social Network, and Easy A appear to be poorly constructed and are not alphanumerical.
The leak includes usernames and passwords for several corporate news and research services, including Lexis/Nexis and Bloomberg. All told, these subscriptions combined run to tens of thousands of dollars a month.
There are also passwords for servers and collaboration services.
And the story department's passwords for everything from its email to Amazon, Variety, and FedEx.
Another file exposes an individual's passwords for a number of expensive data services. Most of the passwords were simple combinations of obvious nouns and numbers.
The new files, which were obtained illegally by hackers that some reports say are linked to the North Korean government, are available to download via torrent files, potentially placing this trove of passwords into the hands of any curious hackers, scammers, and criminals.
The Sony movie The Interview, starring James Franco and Seth Rogen as journalists who attempt to assassinate North Korean leader Kim Jong Un, is scheduled to be released Dec. 25. When the BBC asked a North Korean representative if the country was responsible for the attack on Sony, a government spokesperson said, "Wait and see."
For Sony, this type of security infrastructure is not only highly dangerous but also embarrassing. One of the first and oldest rules of password management and security strongly cautions that users never write down password information.
Perhaps most troubling, though, is the prevalence of personal passwords: Amazon, American Express, AIM, Google, and Fidelity passwords that have nothing to do with Sony corporate business have been swept up in the corporate leak.
And if the hackers are to be believed, this may just be the second of many massive data dumps. The first two leaks represent only a fraction of the approximately 100TB of data the hackers claim to have taken from Sony.
James Franco and Seth Rogen play journalists in The Interview.
Charlie Warzel is a senior writer for BuzzFeed News and is based in New York. Warzel reports on and writes about the intersection of tech and culture.
Contact Charlie Warzel at firstname.lastname@example.org.
Matthew Zeitlin is a business reporter for BuzzFeed News and is based in New York. Zeitlin reports on Wall Street and big banks.
Contact Matthew Zeitlin at email@example.com.
Got a confidential tip? Submit it here.