"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now," LulzSec said. "From a single injection, we accessed EVERYTHING."

"What's worse is that every bit of data we took wasn't encrypted," the group claims. "Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it."

LulzSec said that it had copied and published only a relatively small sample of the information it had managed to access because it did not have the resources to download everything. The group said that in theory it could have "taken every last bit of information," but that would have taken weeks.

The group posted a link to the SQL injection vulnerability it had exploited and invited anyone to verify it personally. "You may even want to plunder those 3.5 million coupons while you can."

In response to a request for comment, a Sony spokeswoman said the company would send a statement by email to Computerworld, but has not yet done so.