Task 1 of 8

77 Million Accounts — Sony's Worst Week

In April 2011, Sony's PlayStation Network went offline. The reason: attackers had broken in and stolen the personal data of 77 million accounts — names, addresses, email addresses, dates of birth, and potentially payment card details. The network was down for 23 days. Sony estimated the breach cost them $171 million.

The attack vector: SQL injection. The same technique you are about to learn. Attackers found a place where Sony's application passed user input directly to their database without checking it — and used that to extract everything.

SQL INJECTION'S TRACK RECORD
Sony PlayStation Network — 2011
77 million accounts. $171M damage. 23-day outage.
SQL injection
Heartland Payment Systems — 2008
130 million credit card numbers. Largest card breach at the time.
SQL injection
TalkTalk — 2015
157,000 customers' data. £77M cost. CEO resigned.
SQL injection
Yahoo — 2012
3 billion accounts. Largest breach in history.
SQL injection (among other vectors)
Slick Wraps — 2020
370,000 customer records exposed by a 19-year-old researcher.
SQL injection

SQL injection has been in the OWASP Top 10 since the list was created. Security researchers have been warning about it for over 20 years. Companies are still getting breached by it today. The gap is not in the knowledge — it is in the implementation.

1

How many accounts were exposed in the Sony PlayStation Network breach?

2

SQL injection has been on the OWASP Top 10 since it was created. What does that tell you?

Answer all 2 questions to continue