I've lost count of how many times Sony's online properties have been hacked now—I just don't have that many fingers—but it's happened again. Databases used to operate sonypictures.com, sonybmg.nl, and sonybmg.be have been compromised by a group calling itself Lulz Security, or LulzSec for short. This is the same group that earlier in the week hacked PBS's servers in retaliation for a documentary felt to be critical of Wikileaks; they also hacked sonymusic.co.jp last week.

Just as was the case with the sonymusic.gr hack and LulzSec's sonymusic.co.jp hack, the latest hack was performed using SQL injection: a rudimentary technique that depends on improper handling of website URLs. Being susceptible to SQL injection is embarrassing enough—techniques to prevent it are well-known, and easy to apply to any database-driven website—but what makes this hack even worse is the data that has been compromised.

The hackers retrieved account information from the database. They claim there are more than a million accounts in total; their BitTorrented dump just contained a sample. The database contained information about a variety of different account types, apparently related to different promotions and features operated by the company. Different sets of accounts, but with one major feature in common: they included plaintext passwords. Anyone who can read the database can read the passwords. And given that password reuse is rampant—many, many people use the same passwords for websites as they do their e-mail or online banking—many of those who have had their Sony accounts compromised now risk having their e-mail accounts attacked.

Some accounts also included names, phone numbers and full postal addresses.

At some point, one has to imagine that Sony will realize that it's a major target for hackers and it will wise up and fix its multitudinous broken Web applications. Until then, Lulz Security's "Lulz Boat" will continue to find rich plunder wherever it sails.