Sony emails reveal loose use of passwords and IDs, ripe for hacking

WASHINGTON — In the weeks before hackers broke into Sony Pictures Entertainment, the studio suffered significant technology outages it blamed on software flaws and incompetent technical staffers who weren't paying attention, even as hackers targeted executives to trick them into revealing their online credentials.

Its chief executive was regularly reminded in unsecure emails of his own secret passwords for his and his family's mail, banking, travel and shopping accounts, according to a review of more than 32,000 stolen corporate emails circulating on the Internet.

Scrutiny of Sony's stolen computer data hasn't yet revealed exactly how hackers managed to slip inside to steal such an enormous cache, when it happened, who was behind the theft or their motives.

But late Wednesday, a U.S. official told The Associated Press that federal investigators have now connected the Sony hack to North Korea. The official was not authorized to discuss an ongoing criminal case openly, and spoke on condition of anonymity.

Confirmation of the North Korean link came just after Sony cancelled plans for the Dec. 25 release of "The Interview," which had been one of the hackers' public demands due to its depiction of the fictional assassination of North Korean leader Kim Jong-un.

The stolen files expose lax Internet security practices inside Sony such as pasting passwords into emails, using easy-to-guess passwords and failing to encrypt especially sensitive materials such as confidential salary and revenue figures, strategic plans and medical information about some employees. Experts say such haphazard practices are common across corporate America.

"Most people who say they're not doing that are lying," said Jon Callas, co-founder and chief technology officer for Silent Circle Inc., a global encrypted-communications service.

"I still need the password to your Amazon account," Diamond wrote to Lynton in August.

Sony spokeswoman Jean Guerin did not respond to a phone message left with an assistant in her office and email from The Associated Press on Wednesday.

In an October email, the company's chief financial officer, David C. Hendler, complained to Lynton that Sony Pictures had experienced months of "significant and repeated outages due to a lack of hardware capacity, running out of disk space, software patches that impacted the stability of the environment, poor system monitoring and an unskilled support team." Hendler also blamed a company rule that required employees to keep too many old emails.

"Sloppy, really sloppy," said Kevin Mitnick, a former hacker who served five years in federal prison and now runs Mitnick Security Consulting LLC. But Mitnick was quick to acknowledge that other top chief executives are "probably doing it, too." Companies can use password-management software, which can store dozens or hundreds of encrypted passwords to various accounts behind one protected password.

"It's pretty ordinary for CEOs and executive assistants to share confidential information by email," he said. "They feel that their email is secure and they have nothing to worry about."

"If I'm trying to get credentials, that's the first search I'm going to run," said Mitnick, who is hired by companies to test their internal security.