PlayStation Network user data stolen
After nearly a week of little information Sony reveals that hackers did indeed gain access to subscriber personal information and possibly credit card numbers.
Nearly a week ago Sony pulled the plug on the PlayStation Network and Quirocity services in response to what was later revealed to be an "external intrusion" on the system. Since that time Sony has offered very little information to ease subscriber concerns over the safety of their personal data other than to say it was taking "the time necessary to provide the system with additional security."
In his latest report on the situation, Sony senior director corporate communications and social media Patrick Seybold revealed the sobering truth that user data had indeed been compromised. The following email will be going out to all PlayStation Network subscribers:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
- Temporarily turned off PlayStation Network and Qriocity services;
- Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
- Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.
We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
You may wish to visit the web site of the U.S. Federal Trade Commission at www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; orwww.oag.state.md.us.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1-800-345-7669 should you have any additional questions.
Sincerely,
Sony Computer Entertainment and Sony Network Entertainment
-
Garnett Lee posted a new article, PlayStation Network user data hacked.
After nearly a week of little information Sony reveals that hackers did indeed gain access to subscriber personal information and possibly credit card numbers.-
-
-
No. By law you're only liable for the first $50 of credit card fraud, and most companies don't even bother to charge you that, in the name of keeping good customer relations. The onus is on your credit card company, not you, so they are either super-safe and will be calling you if they see unusual activity, or they get what they deserve. You DO have an obligation to contact them if you see something before they do, however.
What you need to worry about is your date of birth. Marry that off to your social security and they have the keys to the kingdom. A credit card number is a joke compared to that. Lots of mom-and-pop shops still print your entire credit card number and expiration date on the receipt. Those numbers are all over the place.
Secondarily, if they order with your card, AND they have your home address now, they can order crap and have it delivered to your house, and then they can come grab it off the porch. That is a bigger pain in the ass for a variety of reasons, not the least of which is an unfortunate encounter with them. The CC companies will probably give you a harder time if you dispute shit that is sent to your doorstep, but it's common enough that you should still be OK. -
-
-
-
-
-
-
-
-
-
This varies by state and country. Given that PSN is available in 40 countries there's absolutely little chance that Sony's legal department has anything nearing a handle on the situation. At the very minimal some states require email notification about the issue, which we haven't seen yet. This is just an initial statement at this point; we're likely to be hearing about this for a long while.
-
-
-
-
-
-
-
-
-
-
now would be a good time to enable 2 step verification if you use gmail
http://gmailblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html-
-
-
-
Isn't the text message version actually better, because it notifies you when someone tries to use it? I'm not sure I understand the benefit to the app. I suppose the text message could in theory be intercepted, but in that case you're probably trying to hide things from the government, and Google won't help you there.
-
-
-
-
-
-
-
-
-
-
I'm a bit concerned about their advice that people change their passwords. They didn't list "password" as something that might have been stolen, and if they know anything at all about computer security then they cannot possibly have anyone's password on record. (If this claim doesn't make sense, you should read about cryptographic hashes: http://en.wikipedia.org/wiki/Cryptographic_hash_function ).
Did the hackers get such complete access that they have password digest files and can attack those offline?-
-
-
-
-
Nope. It just needs to be pushed through a one way hash function and stored in that form.
Imagine you have a function that takes a string and outputs a 128bit key. When a person registers an account, Sony would save that key in their password field. The actual string the user input would be discarded.
Then every subsequent time the user logs in, it runs the password they entered through the same function and checks to see whether the output matches what they've stored.
Their real password would never be stored anywhere.
-
-
-
-
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.
-
-
-
-
-
-
-
I dunno; the wording seems to say clearly that passwords were compromised. If so, that says very, very bad things about Sony's internal security. If it's just hashes that's a different story, but I would think if that was the case the release would have said they "might" have been compromised, rather than including them definitely.
-
-
-
-
-
-
-
-
If they did, it's against the PCI Data Security Standards, with which Sony is required to be in compliance if they're handling credit card transactions, or else their payment processing provider is required to be in compliance. Maybe they're erring on the side of caution by saying the passwords have been compromised, but we saw what happened when Gawker got caught using plain old DES, which has been easily brute-forceable for over a decade.
-
That's true, but I have seen it happen at places that are required to do PCI and even have audits. Not at the company we were working for, but some of their partner banks were more than willing to send us secure stuff through regular email and FTP; we had to insist on doing it right before they'd go through the effort. It was an eye opener, to say the least.
-
-
-
-
-
-
-
With a sensible amount of salt, rainbow tables are not that helpful. And even if you can brute force a few passwords, that would still just be dangerous to a few people. (Although, celebrities beware!)
It would take forever to brute force the whole PW database. I think they actually stored passwords though. Or they would have worded it differently, I think.
-
-
-
-
-
-
-
Didn't we see this coming anyway? Granted it would have been nicer to get a report like this sooner however its better to do some investigating rather than potentially crying wolf. Just think if Sony said without looking into it further that user data was compromised, just to discover later nothing was taken, we would have the same "WTF SONY?!?!" but this time it would be because people cancelled cards and all the good stuff, then find out it was for nothing.
The backlash against Sony is expected, however some of it may be a bit unwarranted.-
-
-
I'm having trouble coming up with a response that would really be an overreaction to "hackers broke into our system and made off with the data for our entire user base, including passwords and credit card numbers, we weren't able or willing to tell anyone for a week, and our system is so fucked that it will be down for an indefinite time into the future." That's basically a worst-case security scenario.
I guess demands for summary execution might be an overreaction. Maybe.
-
-
-
-
-
It sounds like entering the PS3 into Dev mode got you onto the network. Once they were onto the network, traffic was sniffable and further poking happened.
My simple guess was some HTTP GET request would return a user's info given *some* parameter. Now that you're onto the network (and playing), you could sniff other user's PSN IDs and keep crawling. After enough IDs, you *may* be able to gain the pattern and build a larger crawl through all possible user combinations. -
there was a Customer Firmware that was released that allowed that to happen. Something like happen with M&T bank a few years ago and another bank this year if U remember correctly. So all the outrage of how this can happen. It can, it has and it will happen again. Instead of black clothes, zip lines and glass cutters. They have computers.
-
-
-
-
-
I bought a PS3 the other day knowing full well the situation. Its a great console but I feel they need to follow XBOX 360 in the network area. I wouldn't mind paying maybe 40 dollars for 6 months service or something. Long as it keeps it secure.
I have always liked the PS, PS2, and PS3 and feel they will resolve this. Don't let this put you off buying a PS3. -
-
-
Update: For those who were asking, Sony has just confirmed to me there is currently no way to determine what password you were/are using on PSN. If you're worried at all, you should probably change your password used across the Internet.
http://www.giantbomb.com/news/good-news-psn-back-maybe-within-a-week-bad-news-everything-else-updated/3084/
Really Sony? Really?-
-
No, you could not; quite the opposite, rather. It just means they don't currently have a system set up to look, and aren't going to.
The fact that they didn't elaborate and instead again included passwords as compromised if anything suggests storing passwords in a retrievable format is even more likely.-
-
Considering they flat out include passwords in the compromised info, it seems more like reading between the lines to guess that it wasn't really compromised.
Don't get me wrong, I realize how absurd it would be for Sony to have stored the passwords in cleartext, but such things have happened before; I'm just going by what they themselves say. -
-
-
-
-
-
-
Oh, it's likely a good thing. Considering this statement and that you could only do password resets, not retrieval, in the past and it's safer to assume that the passwords were hashed. That means less reason to worry about the actual passwords being lost.
However, I assume there's a fair amount of users who would like to be able to tell if the password matched anything else and would hope that Sony would setup a look up system to double check. It's likely just not technically feasible, though they can't outright say that. People will be likely be unhappy either way.
-
-
-
-
-
-
Wow, I really can't believe they waited this long to say that user data was compromised. I'm extremely paranoid about this stuff! Luckily after the gawker security breach I learned my lesson and started making better use of password manager utilities as well has having individual passwords for each service/website that requires one. I also went ahead and cancelled the card associated with my psn account and had my bank send a replacement, just for good measure. I'm also going to place a 90 day fraud alert on my credit.
Just another reminder that your data is never truly safe and its always important to do what you can to protect your info.
-
PASSWORD?!?! REALLY?!?! I've tried to not blow up too much about the Sony thing because I haven't been adversely affected so far, (I have a PSN acct, but no CC associated with it) but this is beyond the pale! Since the 70s it has been known and understood that you never ever ever store passwords!! There is a completely standard and pretty secure way of storing them which involves using a hash with salt. This allows you to verify a password without ever having to store it, and if your password db is ever compromised, the infiltrator can of course get into your systems but the passwords themselves are still protected.
Sony seem to have ignored even the most simple, fundamental rules of secure coding that literally every programmer who ever handles a password should be embarrassed not to know. It shows a level of incompetency that is criminal, I think. Who knows what the hackers will do with the DB, but it's quite possible that there will be many, many accounts compromised because of this. People are sometimes lax with their passwords and reuse them... I'm sure everyone does to some degree. I use unique passwords for all but the most trivial things, but with the multitude of accounts people have to juggle these days, you just can't expect otherwise. However, you could expect Sony to conform to the least common denominator of security practices in the industry. Ugh... I am beyond disgusted.
-
-
You're just speculating. Gawker stored hashed, salted passwords but it was still trivially easy for many simple passwords to get brute forced because Gawker used an old hashing algorithm that was very fast to compute. Even if PSN stored passwords using some current best-practice password storage scheme like brcypt, there's still the possibility of users' passwords being recovered - albeit slowly, at great computational expense. Maybe Sony did something stupid like using MD5, but it's possibly they're just assuming the worst even though it's a PR disaster.
-
-
I think it's pretty informed speculation since it's the most simple reading of their statement. I would say that you're speculating that only hashes were leaked.
Also, you're right about the Gawker leak, that was stupid of them. They used DES however. Even the now-"broken" MD5 with a sizable amount of salt would have been adequate to protect much of the list. It's like everyone has forgotten everything that was learned in the 90s about basic secure coding practices. :(-
-
Yeah, no kidding. Although in this case I don't think that's true. If someone came up to me and said I needed to store account info and they needed it done right away, I don't think I could honestly make the argument that I'd just store the pw in plain text to "save time". It's really not hard to just call a standard API or worst case add my own salt and hash it with SHA-2 or something.
-
-
-
-
-
-
-
-
Like I said, they've got a track record of these idiotic decisions. Plus, imagine the bureaucracy in a company that large. I imagine some distant manager hands down the specs and any rational employee faces nearly impossible odds for getting it changed. Maybe I'm wrong, but there's got to be some kind of explanation for the repeated failures of this magnitude.
-
-
-
-
-
-
-
-
Lame. When it comes to credit cards I'd always rather take the time to punch it in instead of having it stored anywhere. I guess this is a wake up call to myself to think more about what I buy and where.
But what really irks me is that the first time I ever use the PSN store was about a week and a half before this shit went down. -
So for a service like amazon or steam where they specifically ask you "would you like us to save your CC info for faster check out next time?" does that mean they don't store it anywhere? I'm guessing they still do and that only really protects you from someone logging onto your computer and buying shit.
-
where's the confusion here?
"would you like us to save your CC info for faster check out next time?"
YES -> they save your CC info.
NO -> they don't save your CC info.
Either way they'll save authorization/confirmation number and transaction ids. If you choose No they won't save the card number or expiration date. If you say yes, they will store those encrypted, but won't store the card's security code.
-
It's hard to say without knowing their processes. I'm only making a guess about Sony in this case. I think it's a little different than website like Amazon. In the same way that iTunes always stores your CC because they don't think you'd want to punch it in over and over again on your iPhone to buy things. Websites frequently have a use-and-forget mode for CC input which is really nice to have, but I guess you just have to trust them on the "forget" part.
-
-
-
-
-
-
-
-
Look through your emails for ones from 'DoNotReply@ac.playstation.net" and it'll list the last 4-digits of the card used.
http://www.joystiq.com/2011/04/26/sony-says-psn-intrusion-compromised-personal-info-hopes-to-ha/
-
-
-
Senator Richard Blumenthal (D, CT) wrote an open letter to Jack Tretton: http://gamepolitics.com/2011/04/26/richard-blumenthal-sends-letter-sony-over-psn-data-theft
Dear Mr. Tretton:
I am writing regarding a recent data breach of Sony’s PlayStation Network service. I am troubled by the failure of Sony to immediately notify affected customers of the breach and to extend adequate financial data security protections.
It has been reported that on April 20, 2011, Sony’s PlayStation Network suffered an “external intrusion” and was subsequently disabled. News reports estimate that 50 million to 75 million consumers -- many of them children -- access the PlayStation Network for video and entertainment. I understand that the PlayStation Network allows users to store credit card information online to facilitate the purchasing of content such as games and movies through the PlayStation Network. A breach of such a widely used service immediately raises concerns of data privacy, identity theft, and other misuse of sensitive personal and financial data, such as names, email addresses, and credit and debit card information.
When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Additionally, PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.
I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised. Nor has Sony specified how it intends to protect these consumers.
PlayStation Network users deserve more complete information on the data breach, as well as the assurance that their personal and financial information will be securely maintained. I appreciate your prompt response on this important issue.
Sincerely,
Richard Blumenthal
United States Senate]i -
-
-
-
Yeah that is a pretty typical hack. They get into your account. Buy gift cards with a stolen credit card and then sell those gift cards and make lots of money that way. iTunes has had some major issues with this, and now has a stricter password requirement when you create an account or change your password.
-
-
-
-
We all should really think about this here, there's no telling where or who this info was sold to or who has possession of it. Ive never been hacked or had my info stolen once in the 20 years I've been using computers. Going to use this as a opportunity to change all my info and get a fresh start just in case.
-
-
-
what to make of this?
http://shockwavelounge.blogspot.com/2011/04/playstation-network-log-of-hacker.html -
-
-
-
-
-
Between this and the YLOD they can eat a dick. The YLOD is just as bad as the RROD except it's delayed until after 3-4 years. In some ways it's worse because the console is more expensive and it's out of warranty when it breaks. Every friend I know who has owned a 60gb has had to replace it.
Sony won't be getting a penny from me next generation. -
-
-
-
-
I closed both my cards and had them re-issue me new ones since I'm not sure which card I was using on PSN currently (And the last thing I bought was back a year ago, so I can't check). It's no big deal, since I pay my bills with checks.
It just means I can't buy anything on Steam until 5-6 business days. I hope they don't have a hot sale again.
-
-
Well, whether you believe them or not by this stage, they claim they didn't know the "full extent" until Monday.
http://www.kotaku.com.au/2011/04/sony-didnt-know-severity-of-ps3-breach-until-monday/-
Utter nonsense.
Given the nature of a hack it is immediately obvious whether sensitive information can be gleaned from the resulting access. There are no 'data forensics' or 'outside experts' required to arrive at that conclusion.
Jesus Christ, they employ the engineers who build, maintain, optimize, secure and debug the very network that was compromised. Are they expecting us to believe that those engineers threw their hands up with a "Fucked if we know what happened - let's get in the experts"?
-
-
-
To be honest, personally I'm only a bit annoyed rather than pissed about this. Of course, I understand if you had your credit card details saved in your account then you have every right to be angry.
It's quite ironic how Sony touting the 70 million figure for number of PSN accounts has backfired on them. We all know it's likely due to mutliple accounts per person but the knee-jerk reaction of some naive "journalists" still state this figure to add a bit more drama. -
This is messed up, I just got an email that got through my Gmail spam filter and included information about the state where I lived when I registered for PSN. It's trying to get me to "freeze" my credit report by sending all my personal information to random addresses they claim are the major credit bureaus.
People who don't know any better are going to get owned hard by this type of social engineering...-
-
-
-
-
Yeah. Here's the full email: It looks like it was copied the blog post you mentioned, but made some interesting edits (see the parts where you have to send $5 to the credit bureaus, and send your SSN among other personally identifiable information):
http://pastebin.com/7Tz5wUTA-
-
-
In a horrible addition to the shitty handling of all this, that is possibly an official carrier.
Innovyx was used by them earlier this year to send out updated TOS or some such, and I'm seeing some forum chatter about playstation-info.com being official and also being used to deliver some newsletters.
http://community.us.playstation.com/thread/3419557?start=0&tstart=0
Maybe not, but don't jump too far across that mat just yet. -
-
-
-
-
-
-
-
-
-
So what sort of effect do you think that this whole debacle will have on Sony's approach to their online service with the PS4, and it's lasting effects on the Playstation brand as a whole? I don't think that it will kill the Playstation brand as a whole, not by any means, but I have a feeling that you're going to see the next iteration of Sony's online presence be a much less "open", and likely a paid, model.
-
-
It makes you wonder sometimes what the hell is going on at the top at Sony. From the horrible PR gaffes leading up to the launch of the PS3, the constant contradictions when it came to backwards compatibility and rumble, Playstation Home's very existence, and this most recent debacle, it really seems like the executives are utterly disconnected from reality. It's like they're expecting the Sony name to let them weather any storm or dumb move without realizing that we're no longer in the Walkman days when they reigned supreme.
-
-
Oh yeah, I may not own a PS3, and I may utterly despise the XMB and have serious issues the approach they took to PSN, but I still like the system. I'm honestly probably going to pick up a PS3 before I replace my RROD'd launch 360 (R.I.P.), pretty much all of my gripes about PS3 as a platform have much more to do with Sony's PR and corporate image as it relates to the PS3 than they do with the actual system.
Other than the controller, that is. I'm sorry, but the 360 controller just blows it out of the water. ;) -
-
-
-
-
-
-
-
email Password changed , my bank a card is tied to different email account, BoA is pretty good with keeping tabs on activity. They have locked my card on me before and I was the one that was buying stuff. worst comes to worst i can have new card and number in few days.
Keeping an eye on my balance sheet to play it safe... of course when they said "External intrusion" red flags went up...
Not shocked... Cyber crime is the new thing... this happen a year or two ago at M&T bank -
Might just be me, but when sony was told it's on by group of hackers, everyone at shacknews lol'd 'n thought it was 13 year old kids, and now everything's apeshit, silly stuff
http://www.blameitonthevoices.com/2011/04/anonymous-vs-sony.html