PlayStation Network user data stolen
After nearly a week of little information Sony reveals that hackers did indeed gain access to subscriber personal information and possibly credit card numbers.
Nearly a week ago Sony pulled the plug on the PlayStation Network and Quirocity services in response to what was later revealed to be an "external intrusion" on the system. Since that time Sony has offered very little information to ease subscriber concerns over the safety of their personal data other than to say it was taking "the time necessary to provide the system with additional security."
In his latest report on the situation, Sony senior director corporate communications and social media Patrick Seybold revealed the sobering truth that user data had indeed been compromised. The following email will be going out to all PlayStation Network subscribers:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
- Temporarily turned off PlayStation Network and Qriocity services;
- Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
- Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.
We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
You may wish to visit the web site of the U.S. Federal Trade Commission at www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; orwww.oag.state.md.us.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1-800-345-7669 should you have any additional questions.
Sincerely,
Sony Computer Entertainment and Sony Network Entertainment
-
Shacknews
replyGarnett Lee posted a new article, PlayStation Network user data hacked.
After nearly a week of little information Sony reveals that hackers did indeed gain access to subscriber personal information and possibly credit card numbers.-
[deleted]
-
Soooo should I be canceling my card at this point?
-
No, but you should be keeping an eye on it. It may be prudent to call your bank and ask what kind of protection you have against fraudulent charges, should they occur.
-
No. By law you're only liable for the first $50 of credit card fraud, and most companies don't even bother to charge you that, in the name of keeping good customer relations. The onus is on your credit card company, not you, so they are either super-safe and will be calling you if they see unusual activity, or they get what they deserve. You DO have an obligation to contact them if you see something before they do, however.
What you need to worry about is your date of birth. Marry that off to your social security and they have the keys to the kingdom. A credit card number is a joke compared to that. Lots of mom-and-pop shops still print your entire credit card number and expiration date on the receipt. Those numbers are all over the place.
Secondarily, if they order with your card, AND they have your home address now, they can order crap and have it delivered to your house, and then they can come grab it off the porch. That is a bigger pain in the ass for a variety of reasons, not the least of which is an unfortunate encounter with them. The CC companies will probably give you a harder time if you dispute shit that is sent to your doorstep, but it's common enough that you should still be OK. -
-
It's just really shitty they sat on this information for a week. You could have notified your bank last week FFS
-
-
-
-
-
guess i am cancelling that card, wtf sony.
-
kind of disappointed they did not see this coming. keys out in the public, and whatnot
-
That is somewhat premature. See my above post and then make your decision.
-
-
-
-
-
-
This varies by state and country. Given that PSN is available in 40 countries there's absolutely little chance that Sony's legal department has anything nearing a handle on the situation. At the very minimal some states require email notification about the issue, which we haven't seen yet. This is just an initial statement at this point; we're likely to be hearing about this for a long while.
-
-
-
-
-
[deleted]
-
-
-
-
This is true. A quick google search reveals similar brouhahas milling over XBLA/Windows Live ID as well. The difference here is, the entire PSN service will be down for 2 weeks overall, whereas on other sites there was minimal, if any, service interruption (on the order of hours instead of weeks).
-
-
-
SIMPSONS DID IT
-
-
-
I cant believe how long they waited to tell everyone this information, fucking ridiculous.
-
Agreed, this is what gets me. A week with no word and our information floating around. I'd have had this dealt with day one if they'd said they'd lost subscriber information and possibly credit card numbers...They are seriously tanking after all the awesome they built up with the PSOne and PS2
-
Don't forget the awesome DRM on CD's.
-
-
-
-
-
any psn users want to get in on the ground floor of a class action?
-
-
-
-
[deleted]
-
-
-
-
now would be a good time to enable 2 step verification if you use gmail
http://gmailblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html-
[deleted]
-
-
thanks!
-
Thanks that was really fun. Made me feel like a spy.
-
Apparently I need iOS 4 to use this :(
-
-
Isn't the text message version actually better, because it notifies you when someone tries to use it? I'm not sure I understand the benefit to the app. I suppose the text message could in theory be intercepted, but in that case you're probably trying to hide things from the government, and Google won't help you there.
-
-
[deleted]
-
-
[deleted]
-
-
[deleted]
-
-
[deleted]
-
I wonder if steam info would be compromised if folks signed in through PSN on Steam prior to the outage. In any case time to change passwords.
-
-
Oh that puts a hole new wrinkle in this... honestly most(well at least) banks will put a flag on your card if they see any out of the ordinary activity on it. Trust mine has done that 3 times already when my tax returns for couple of years.
-
-
-
-
[deleted]
-
They suspended themselves from a ventilation shaft in the server room.
-
-
Nice. Good thing I have to wait until September to get a new free credit report. Great job, guys.
-
-
-
I'm a bit concerned about their advice that people change their passwords. They didn't list "password" as something that might have been stolen, and if they know anything at all about computer security then they cannot possibly have anyone's password on record. (If this claim doesn't make sense, you should read about cryptographic hashes: http://en.wikipedia.org/wiki/Cryptographic_hash_function ).
Did the hackers get such complete access that they have password digest files and can attack those offline?-
-
This is the thing, though: Sony shouldn't have anyone's password in the first place, so it shouldn't be something anyone can steal.
-
-
No, it doesn't. That's the beauty of cryptographic hashing. You can read about it in the article I linked above.
-
[deleted]
-
-
Nope. It just needs to be pushed through a one way hash function and stored in that form.
Imagine you have a function that takes a string and outputs a 128bit key. When a person registers an account, Sony would save that key in their password field. The actual string the user input would be discarded.
Then every subsequent time the user logs in, it runs the password they entered through the same function and checks to see whether the output matches what they've stored.
Their real password would never be stored anywhere.
-
-
-
-
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.
-
You're right: I misread. That's actually far scarier than this hack happening in the first place. The only reason to store a user password is because you don't know what you're doing.
-
It has to be stored somewhere, how would they know if you put in the correct password or not?
-
-
-
-
-
Nice.
-
-
I wouldn't put it past them, but which is worse: a company that doesn't know the first thing about security, or one that is willing to say it doesn't just for the sake of simplicity during a security crisis?
-
-
I dunno; the wording seems to say clearly that passwords were compromised. If so, that says very, very bad things about Sony's internal security. If it's just hashes that's a different story, but I would think if that was the case the release would have said they "might" have been compromised, rather than including them definitely.
-
-
-
-
-
-
Oops, I misread: they did list "password". So they store passwords, meaning that Sony doesn't know the first thing about computer security.
-
-
If they did, it's against the PCI Data Security Standards, with which Sony is required to be in compliance if they're handling credit card transactions, or else their payment processing provider is required to be in compliance. Maybe they're erring on the side of caution by saying the passwords have been compromised, but we saw what happened when Gawker got caught using plain old DES, which has been easily brute-forceable for over a decade.
-
That's true, but I have seen it happen at places that are required to do PCI and even have audits. Not at the company we were working for, but some of their partner banks were more than willing to send us secure stuff through regular email and FTP; we had to insist on doing it right before they'd go through the effort. It was an eye opener, to say the least.
-
-
-
-
Typically breaches like this the hashes are taken. But between rainbow tables and off-line attacks weak passwords are found, people typically reuse passwords, and that's the issue there. I think the bigger issue is security questions and answers were taken, which if you are like me and use non-sensical answers is a big deal.
-
I don't understand the problem with having your nonsensical answers exposed. Can you explain?
-
-
-
ya, this is pretty bad
-
-
I use nonsense for every security question that I know won't be used for two-factor authentication. I just mash the keyboard until I hit the character limit. I'm not sure why that information would help anyone if they already had my account password.
-
-
I understand that it would be an issue for most people, but I assumed mancide's nonsensical answers were random, like mine. I can see how it would be a problem if they weren't random, but just lies in order to avoid being obvious.
-
-
-
-
I'm guessing he considers them un-guessable and re-uses them
-
-
With a sensible amount of salt, rainbow tables are not that helpful. And even if you can brute force a few passwords, that would still just be dangerous to a few people. (Although, celebrities beware!)
It would take forever to brute force the whole PW database. I think they actually stored passwords though. Or they would have worded it differently, I think.
-
-
-
It doesn't matter whether they're in the clear or not. There is no need to store them at all.
-
-
-
[deleted]
-
-
-
None of the credit companies will offer free fraud protection for me. Is the info from Sony wrong about that?
-
At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. - All three of them are telling me I have to pay for this service.
-
-
-
Didn't we see this coming anyway? Granted it would have been nicer to get a report like this sooner however its better to do some investigating rather than potentially crying wolf. Just think if Sony said without looking into it further that user data was compromised, just to discover later nothing was taken, we would have the same "WTF SONY?!?!" but this time it would be because people cancelled cards and all the good stuff, then find out it was for nothing.
The backlash against Sony is expected, however some of it may be a bit unwarranted.-
-
Actually, you'd be surprised. Many companies wait weeks or even months after a data breach before notifying their customers, if they notify them at all.
-
-
I'm having trouble coming up with a response that would really be an overreaction to "hackers broke into our system and made off with the data for our entire user base, including passwords and credit card numbers, we weren't able or willing to tell anyone for a week, and our system is so fucked that it will be down for an indefinite time into the future." That's basically a worst-case security scenario.
I guess demands for summary execution might be an overreaction. Maybe.
-
-
[deleted]
-
Hey at least you can still get the four updates you need to play the game you just bought!
-
-
-
-
It sounds like entering the PS3 into Dev mode got you onto the network. Once they were onto the network, traffic was sniffable and further poking happened.
My simple guess was some HTTP GET request would return a user's info given *some* parameter. Now that you're onto the network (and playing), you could sniff other user's PSN IDs and keep crawling. After enough IDs, you *may* be able to gain the pattern and build a larger crawl through all possible user combinations. -
there was a Customer Firmware that was released that allowed that to happen. Something like happen with M&T bank a few years ago and another bank this year if U remember correctly. So all the outrage of how this can happen. It can, it has and it will happen again. Instead of black clothes, zip lines and glass cutters. They have computers.
-
-
-
-
uuuuuuuuuuuggggghh come the F on
-
-
I bought a PS3 the other day knowing full well the situation. Its a great console but I feel they need to follow XBOX 360 in the network area. I wouldn't mind paying maybe 40 dollars for 6 months service or something. Long as it keeps it secure.
I have always liked the PS, PS2, and PS3 and feel they will resolve this. Don't let this put you off buying a PS3.-
[deleted]
-
-
[deleted]
-
4.Change all account questions and answers on any service that uses them.
-
-
-
It does everything!
-
Update: For those who were asking, Sony has just confirmed to me there is currently no way to determine what password you were/are using on PSN. If you're worried at all, you should probably change your password used across the Internet.
http://www.giantbomb.com/news/good-news-psn-back-maybe-within-a-week-bad-news-everything-else-updated/3084/
Really Sony? Really?-
-
No, you could not; quite the opposite, rather. It just means they don't currently have a system set up to look, and aren't going to.
The fact that they didn't elaborate and instead again included passwords as compromised if anything suggests storing passwords in a retrievable format is even more likely.-
-
Considering they flat out include passwords in the compromised info, it seems more like reading between the lines to guess that it wasn't really compromised.
Don't get me wrong, I realize how absurd it would be for Sony to have stored the passwords in cleartext, but such things have happened before; I'm just going by what they themselves say.-
-
-
Any smart PR guy would confirm with a technical director of sort if the info in the announcement was complete and accurate. Not asking a nerd about the situation they don't understand (nerdy security stuff) before sending it out is just bad PR.
-
-
-
-
-
-
-
This most likely means that they were hashed and that they can't tell you the plain text of it. At least that sheds a little light on the questions above.
-
-
Oh, it's likely a good thing. Considering this statement and that you could only do password resets, not retrieval, in the past and it's safer to assume that the passwords were hashed. That means less reason to worry about the actual passwords being lost.
However, I assume there's a fair amount of users who would like to be able to tell if the password matched anything else and would hope that Sony would setup a look up system to double check. It's likely just not technically feasible, though they can't outright say that. People will be likely be unhappy either way.
-
-
[deleted]
-
-
Who wants to buy a PS3?
-
So this ANON hive-mind...they very much have teeth amirite?
-
-
ANON doesn't care about customer information or CC#s. When they go after dox it is to embarrass someone. They tend to target a specific person and leak all THEIR info.
-
-
-
-
Contrary to their behavior and beliefs. There are only a few members who have the skills to do real cracking like this, and they've always been absolutely tight about what they will and won't release.
-
-
-
-
-
[deleted]
-
-
I've been pondering getting a PS3, and oddly, this news doesn't change that.
-
Wow, I really can't believe they waited this long to say that user data was compromised. I'm extremely paranoid about this stuff! Luckily after the gawker security breach I learned my lesson and started making better use of password manager utilities as well has having individual passwords for each service/website that requires one. I also went ahead and cancelled the card associated with my psn account and had my bank send a replacement, just for good measure. I'm also going to place a 90 day fraud alert on my credit.
Just another reminder that your data is never truly safe and its always important to do what you can to protect your info.
-
PASSWORD?!?! REALLY?!?! I've tried to not blow up too much about the Sony thing because I haven't been adversely affected so far, (I have a PSN acct, but no CC associated with it) but this is beyond the pale! Since the 70s it has been known and understood that you never ever ever store passwords!! There is a completely standard and pretty secure way of storing them which involves using a hash with salt. This allows you to verify a password without ever having to store it, and if your password db is ever compromised, the infiltrator can of course get into your systems but the passwords themselves are still protected.
Sony seem to have ignored even the most simple, fundamental rules of secure coding that literally every programmer who ever handles a password should be embarrassed not to know. It shows a level of incompetency that is criminal, I think. Who knows what the hackers will do with the DB, but it's quite possible that there will be many, many accounts compromised because of this. People are sometimes lax with their passwords and reuse them... I'm sure everyone does to some degree. I use unique passwords for all but the most trivial things, but with the multitude of accounts people have to juggle these days, you just can't expect otherwise. However, you could expect Sony to conform to the least common denominator of security practices in the industry. Ugh... I am beyond disgusted.
-
-
You're just speculating. Gawker stored hashed, salted passwords but it was still trivially easy for many simple passwords to get brute forced because Gawker used an old hashing algorithm that was very fast to compute. Even if PSN stored passwords using some current best-practice password storage scheme like brcypt, there's still the possibility of users' passwords being recovered - albeit slowly, at great computational expense. Maybe Sony did something stupid like using MD5, but it's possibly they're just assuming the worst even though it's a PR disaster.
-
In ideal cases, it would take an astronomically long time to brute force a best-practice hash... but then Sony also got caught using ECDSA in the PS3 firmware without randomizing the variable that said "please make this a random integer!", and that's how the private key got decrypted.
-
Wouldn't someone/group with this level of expertise have distributed computing at their fingertips? Perhaps through infected zombie PC's?
-
-
I think it's pretty informed speculation since it's the most simple reading of their statement. I would say that you're speculating that only hashes were leaked.
Also, you're right about the Gawker leak, that was stupid of them. They used DES however. Even the now-"broken" MD5 with a sizable amount of salt would have been adequate to protect much of the list. It's like everyone has forgotten everything that was learned in the 90s about basic secure coding practices. :(-
Proper implementations cost time and money and its easier and cheaper to just do it wrong. Especially when executives view IT and security as an expense.
-
Yeah, no kidding. Although in this case I don't think that's true. If someone came up to me and said I needed to store account info and they needed it done right away, I don't think I could honestly make the argument that I'd just store the pw in plain text to "save time". It's really not hard to just call a standard API or worst case add my own salt and hash it with SHA-2 or something.
-
-
-
-
pretty much. Sony said passwords were compromised, that's as simple as it gets. Any other interpretation is reading between the lines at this point.
-
[deleted]
-
[deleted]
-
-
-
-
Pretty sure I read yesterday that they've been caught transmitting credit card info in plaintext. Why does this surprise you?
-
-
Like I said, they've got a track record of these idiotic decisions. Plus, imagine the bureaucracy in a company that large. I imagine some distant manager hands down the specs and any rational employee faces nearly impossible odds for getting it changed. Maybe I'm wrong, but there's got to be some kind of explanation for the repeated failures of this magnitude.
-
Quite often someone does make a stink about it but upper management is like nah not worth the trouble, will cost too much money. Having specifically dealt with credit card processors and banks as I've noted before many store shit in plain text even though they aren't supposed to. The only reason you even find out is when someone hacks, but if determined hackers started really hitting all sorts of companies peoples data would be coming out left and right.
-
-
-
Major fines or pocket change to Sony?
-
-
-
-
Sooo glad I never signed up for a PSN account, and have only plugged an Ethernet cable into the PS3 three times to anonymously download the patches for Bayonetta, Catherine, and GT5.
-
-
-
Lame. When it comes to credit cards I'd always rather take the time to punch it in instead of having it stored anywhere. I guess this is a wake up call to myself to think more about what I buy and where.
But what really irks me is that the first time I ever use the PSN store was about a week and a half before this shit went down. -
So for a service like amazon or steam where they specifically ask you "would you like us to save your CC info for faster check out next time?" does that mean they don't store it anywhere? I'm guessing they still do and that only really protects you from someone logging onto your computer and buying shit.
-
where's the confusion here?
"would you like us to save your CC info for faster check out next time?"
YES -> they save your CC info.
NO -> they don't save your CC info.
Either way they'll save authorization/confirmation number and transaction ids. If you choose No they won't save the card number or expiration date. If you say yes, they will store those encrypted, but won't store the card's security code.
-
It's hard to say without knowing their processes. I'm only making a guess about Sony in this case. I think it's a little different than website like Amazon. In the same way that iTunes always stores your CC because they don't think you'd want to punch it in over and over again on your iPhone to buy things. Websites frequently have a use-and-forget mode for CC input which is really nice to have, but I guess you just have to trust them on the "forget" part.
-
-
-
-
[deleted]
-
-
-
Hackers be hackin
-
[deleted]
-
-
Look through your emails for ones from 'DoNotReply@ac.playstation.net" and it'll list the last 4-digits of the card used.
http://www.joystiq.com/2011/04/26/sony-says-psn-intrusion-compromised-personal-info-hopes-to-ha/-
[deleted]
-
much thanks. This should probably be INF'd as well.
-
[deleted]
-
weird, the CC# part is blank but I do remember buying some PS1 game on PSN.
-
[deleted]
-
-
[deleted]
-
-
-
Senator Richard Blumenthal (D, CT) wrote an open letter to Jack Tretton: http://gamepolitics.com/2011/04/26/richard-blumenthal-sends-letter-sony-over-psn-data-theft
Dear Mr. Tretton:
I am writing regarding a recent data breach of Sony’s PlayStation Network service. I am troubled by the failure of Sony to immediately notify affected customers of the breach and to extend adequate financial data security protections.
It has been reported that on April 20, 2011, Sony’s PlayStation Network suffered an “external intrusion” and was subsequently disabled. News reports estimate that 50 million to 75 million consumers -- many of them children -- access the PlayStation Network for video and entertainment. I understand that the PlayStation Network allows users to store credit card information online to facilitate the purchasing of content such as games and movies through the PlayStation Network. A breach of such a widely used service immediately raises concerns of data privacy, identity theft, and other misuse of sensitive personal and financial data, such as names, email addresses, and credit and debit card information.
When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Additionally, PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.
I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised. Nor has Sony specified how it intends to protect these consumers.
PlayStation Network users deserve more complete information on the data breach, as well as the assurance that their personal and financial information will be securely maintained. I appreciate your prompt response on this important issue.
Sincerely,
Richard Blumenthal
United States Senate]i-
Um yeah he needs to worry about Balancing and passing a budget and gas prices.
-
Last Sony product I ever buy, its over faggots. I don't care if the next playstation sucks my cock, its fucking over Sony I QUIT YOU
-
that was me after discovering the sony walkman bean digital music player could only play ATRAC and all ym tracks had to be converted. And the rootkit thing
-
-
*sigh*
Some serious bush league IT security over there at Sony with a healthy dash of terrible fucking PR management. They waited almost 10 days to tell customers that their personal and credit card information could have been compromised? Really? God damn.
You can say "you get what you pay for" all day long and until you're blue in the face, but that's not remotely the issue. PSN+ members pay good money (and receive some fantastic benefits!), and it's not like the DCUO subscribers are getting anything for free. The problem is simply their set of security policies sucked and their lackadaisical attitude toward both resolving known vulnerabilities and keeping their customers informed over time has been inexcusable. That's just piss poor business no matter what the service is (free email or a free forum, web hosting, your phone provider, your utility service, a gambling website, etc).
It'll be interesting to see what the long term effects are for Sony on this one (as a company, as a service provider, and as a general player in the market). Sure, they can have an outside, supposedly independent company assure everyone that their network is now secure, but who's really going to trust them and who's going to want to deal with a company that didn't take those steps in the first place? I mean, 75 million subscribers across 59 countries just had their account information leaked. That's a huge fuck up. Fucking huge fuck up.
Oh well, I'm going back to playing some more Portal 2 so that I can shoot for that platinum trophy before PSN gets back up and my account syncs. -
[deleted]
-
-
[deleted]
-
Yeah that is a pretty typical hack. They get into your account. Buy gift cards with a stolen credit card and then sell those gift cards and make lots of money that way. iTunes has had some major issues with this, and now has a stricter password requirement when you create an account or change your password.
-
-
-
-
We all should really think about this here, there's no telling where or who this info was sold to or who has possession of it. Ive never been hacked or had my info stolen once in the 20 years I've been using computers. Going to use this as a opportunity to change all my info and get a fresh start just in case.
-
from now on, every site gets a random password from mashing on the keys. This is going to require me to use the Forgot My Password link each time! Best password security IMO.
-
-
taped to the monitor
-
Grandma? Is that you?
-
-
-
[deleted]
-
I went to every website I could recall having an account and generated a new, stronger password using KeePass. Of course, I managed to completely overlook PSN.
-
I did this a month ago, not tonight. Lucky timing.
-
-
Use LastPass's secure password generator (you can even set it up to a hotkey). It'll remember it for you securely.
-
-
what to make of this?
http://shockwavelounge.blogspot.com/2011/04/playstation-network-log-of-hacker.html-
Don't know what it means but it's interesting.... I only hope there's still good in this world of hackers that can get a better name for themselves and catch the ones that just want to be destructive with their work....
-
-
I once saw a child the size of a tangerine
-
-
-
-
Well, thank goodness I was still using my old spam-trap email address with my PSN account. I imagine those email addresses are going to get around now.
-
Don't forget to change your Microsoft Live account info, if you use the same username/password.
Or any other account that uses the same combo, for that matter.-
-
Shit, forgot about iTunes. Thanks for the reminder.
-
-
-
I have a different username for twitter/skype/facebook, I guess I should change the password though.
-
It was time for an update anyway
-
Yea, my password wasn't all that strong anyway.
-
-
-
-
-
I'm soooo looking forward to their opening speech at E3...they'll probably pretend it never happened...
-
[deleted]
-
Fortunately for me, the CC I had on PSN is long canceled and I haven't bought anything on it since I think Fat Princess.
-
UNFORTUNATELY I updated my CC so I could get Xenogears :(
-
Exact same boat here lol. I just did an email search
-
[deleted]
-
-
[deleted]
-
-
[deleted]
-
yea it felt like tc_hydro
-
-
-
-
haha, same date of my email too.
-
-
Between this and the YLOD they can eat a dick. The YLOD is just as bad as the RROD except it's delayed until after 3-4 years. In some ways it's worse because the console is more expensive and it's out of warranty when it breaks. Every friend I know who has owned a 60gb has had to replace it.
Sony won't be getting a penny from me next generation.-
I think you're experience is just a case of bad luck. I mean, my 60gb and everyone i know who has one still rocks on fine till this day.
But having PSN hacked and compromised to this level is just as bad (or even worse).-
Do you actually use it for games? If you do, just give it time. It will happen.
-
-
-
[deleted]
-
And we can all thank Anon for bringing this on Sony, what a great cause! So exciting to see a group of morons doing good on the internetz! When the playstations a brick with no games or PSN we can all thank them for this! What's their next big thing?
If you can't tell I'm being sarcastic... -
-
-
[deleted]
-
-
I closed both my cards and had them re-issue me new ones since I'm not sure which card I was using on PSN currently (And the last thing I bought was back a year ago, so I can't check). It's no big deal, since I pay my bills with checks.
It just means I can't buy anything on Steam until 5-6 business days. I hope they don't have a hot sale again.
-
-
Well, whether you believe them or not by this stage, they claim they didn't know the "full extent" until Monday.
http://www.kotaku.com.au/2011/04/sony-didnt-know-severity-of-ps3-breach-until-monday/-
Utter nonsense.
Given the nature of a hack it is immediately obvious whether sensitive information can be gleaned from the resulting access. There are no 'data forensics' or 'outside experts' required to arrive at that conclusion.
Jesus Christ, they employ the engineers who build, maintain, optimize, secure and debug the very network that was compromised. Are they expecting us to believe that those engineers threw their hands up with a "Fucked if we know what happened - let's get in the experts"?
-
-
I would like to know the secret questions/answers that they have on me as well.
-
-
To be honest, personally I'm only a bit annoyed rather than pissed about this. Of course, I understand if you had your credit card details saved in your account then you have every right to be angry.
It's quite ironic how Sony touting the 70 million figure for number of PSN accounts has backfired on them. We all know it's likely due to mutliple accounts per person but the knee-jerk reaction of some naive "journalists" still state this figure to add a bit more drama. -
This is messed up, I just got an email that got through my Gmail spam filter and included information about the state where I lived when I registered for PSN. It's trying to get me to "freeze" my credit report by sending all my personal information to random addresses they claim are the major credit bureaus.
People who don't know any better are going to get owned hard by this type of social engineering...-
seriously? already?!? fucking fuck Sony
-
[deleted]
-
[deleted]
-
-
-
[deleted]
-
Yeah. Here's the full email: It looks like it was copied the blog post you mentioned, but made some interesting edits (see the parts where you have to send $5 to the credit bureaus, and send your SSN among other personally identifiable information):
http://pastebin.com/7Tz5wUTA-
[deleted]
-
[deleted]
-
-
asking for a social security number in there seems really shady
-
[deleted]
-
-
-
In a horrible addition to the shitty handling of all this, that is possibly an official carrier.
Innovyx was used by them earlier this year to send out updated TOS or some such, and I'm seeing some forum chatter about playstation-info.com being official and also being used to deliver some newsletters.
http://community.us.playstation.com/thread/3419557?start=0&tstart=0
Maybe not, but don't jump too far across that mat just yet.-
-
-
They do match. Instructions are fine. Looks like they made modifications for specific state law.
http://www.atg.wa.gov/freezecharts.aspx ( ono they are also trying to steal me identity!)-
-
good to know it's legit, but it's another example of Sony's lousy communications
-
-
-
-
-
-
-
-
[deleted]
-
-
[deleted]
-
-
-
-
-
-
Good thing they let people know their info is compromised ... a week after the fact. That's very kind of them.
-
-
-
y'know, i honestly expected a thousand-post megathread about this...
-
So what sort of effect do you think that this whole debacle will have on Sony's approach to their online service with the PS4, and it's lasting effects on the Playstation brand as a whole? I don't think that it will kill the Playstation brand as a whole, not by any means, but I have a feeling that you're going to see the next iteration of Sony's online presence be a much less "open", and likely a paid, model.
-
-
It makes you wonder sometimes what the hell is going on at the top at Sony. From the horrible PR gaffes leading up to the launch of the PS3, the constant contradictions when it came to backwards compatibility and rumble, Playstation Home's very existence, and this most recent debacle, it really seems like the executives are utterly disconnected from reality. It's like they're expecting the Sony name to let them weather any storm or dumb move without realizing that we're no longer in the Walkman days when they reigned supreme.
-
-
Oh yeah, I may not own a PS3, and I may utterly despise the XMB and have serious issues the approach they took to PSN, but I still like the system. I'm honestly probably going to pick up a PS3 before I replace my RROD'd launch 360 (R.I.P.), pretty much all of my gripes about PS3 as a platform have much more to do with Sony's PR and corporate image as it relates to the PS3 than they do with the actual system.
Other than the controller, that is. I'm sorry, but the 360 controller just blows it out of the water. ;)-
How can you hate the XMB? It's so simple and intuitive.
-
-
You think? I never had any issues with it, I navigated them largely the same way I did on PC.
-
-
Mostly from doing TRC checks, it made every flaw (major or minor) with the XMB become burned into my brain.
-
-
-
-
-
-
[deleted]
-
-
-
email Password changed , my bank a card is tied to different email account, BoA is pretty good with keeping tabs on activity. They have locked my card on me before and I was the one that was buying stuff. worst comes to worst i can have new card and number in few days.
Keeping an eye on my balance sheet to play it safe... of course when they said "External intrusion" red flags went up...
Not shocked... Cyber crime is the new thing... this happen a year or two ago at M&T bank -
[deleted]
-
Might just be me, but when sony was told it's on by group of hackers, everyone at shacknews lol'd 'n thought it was 13 year old kids, and now everything's apeshit, silly stuff
http://www.blameitonthevoices.com/2011/04/anonymous-vs-sony.html
-
