Close
Are you sure? Are you sure you want to report this comment? I understand, report it. Cancel

Sony warns of compromised personal data following PSN attacks

Tue 26 Apr 2011 8:25pm GMT / 4:25pm EDT / 1:25pm PDT
Online

"We cannot rule out the possibility" of stolen credit card info - Seybold

Sony Computer Entertainment has finally issued a detailed statement on the PlayStation Network downtime, confirming the possibility that private customer information may have been compromised as a result of "malicious actions."

Although Sony said it expects to have PSN up and running within a week, it admits that between April 17 - April 19, the service suffered an "illegal and unauthorized intrusion" and that the name, address, country, email address, birthdate, PlayStation Network/Qriocity password and login, and PSN online ID of users have been obtained by an unauthorised person.

"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," wrote Sony's Patrick Seybold on the PlayStation blog.

Out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

Patrick Seybold, SCEA

The PlayStation Network currently has over 75 million registered users accessing services on PlayStation 3, PSP and PC.

"If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."

"For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information," continued Seybold.

"When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well."

Sony's online PlayStation service was taken offline last Wednesday with few updates given to users as to why they were unable to access multiplayer gaming, purchase content and use online functions for the console.

The full message from Sony Computer Entertainment follows:

"Thank you for your patience while we work to resolve the current outage of PlayStation Network & Qriocity services. We are currently working to send a similar message to the one below via email to all of our registered account holders regarding a compromise of personal information as a result of an illegal intrusion on our systems. These malicious actions have also had an impact on your ability to enjoy the services provided by PlayStation Network and Qriocity including online gaming and online access to music, movies, sports and TV shows. We have a clear path to have PlayStation Network and Qriocity systems back online, and expect to restore some services within a week.

We're working day and night to ensure it is done as quickly as possible. We appreciate your patience and feedback.

Valued PlayStation Network/Qriocity Customer: We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

  • 1. Temporarily turned off PlayStation Network and Qriocity services;
  • 2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
  • 3. Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.

We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a "fraud alert" on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.

Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013 Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241 TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

You may wish to visit the web site of the U.S. Federal Trade Commission at www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or www.oag.state.md.us.

We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1-800-345-7669 should you have any additional questions.

Sincerely, Sony Computer Entertainment and Sony Network Entertainment"

25 Comments

Would passwords not have been encrypted?

Posted:3 years ago

#1

Paul Holmes
Studying Computer Science

1 0 0.0
@Richard I hope so, though if Gawker is anything to go by..

Posted:3 years ago

#2

Ben Hewett
Studying MA Philosophy

40 1 0.0
You've got to wonder what the long-term effects of this will be: Sony's reputation just took a major hit.

Posted:3 years ago

#3

Joe Winkler
trained retail salesman

169 4 0.0

Posted:3 years ago

#4

Ben Hewett
Studying MA Philosophy

40 1 0.0
@Joe

I guess it depends if the hackers have managed to remove the personal data, or whether they've simply gained control of PSN accounts. The first is much worse than the second.

Posted:3 years ago

#5

Nick Hidayat
Studying Advanced Diploma in Character Animation

8 0 0.0
The absolute worst. I agree with Joe when he says :(

Posted:3 years ago

#6

Sam Maxted
Journalist / Community / Support

155 65 0.4
Thankfully I've not bought anything over PSN, but I can't remember what my PSN password is, so I don't know what other account(s) I might need to change it for. Joy...

EDIT: Apparently, the number of asterisks on the PSN's Sign In screen on the PS3 is an accurate representation of the number of characters in your password, if you have it saved there. So that might help some people figure out what theirs is, from any list of "normal" passwords they may have.

Edited 1 times. Last edit by Sam Maxted on 26th April 2011 11:55pm

Posted:3 years ago

#7

David Vink
Freelance

19 16 0.8
Why did it take Sony this long to come forward with this information?

Posted:3 years ago

#8

Ben Hewett
Studying MA Philosophy

40 1 0.0
@David

That seems to be the million dollar question..

Posted:3 years ago

#9

Andrew Goodchild
Studying development

1,241 400 0.3
@David. Good question. Haven't Sony just given the hacker a week ptentially with card details, whilst customers didn't know the risk?

Posted:3 years ago

#10

Robert Kelly

38 0 0.0
Perhaps they didn't know or wanted to make sure before people go off and cancel their cards etc. I don't think the hackers would be bothered with credit card details, they were caught up in pirating software by the barrel to attack customers (at least that's what it sounds like)

Posted:3 years ago

#11

Jake Clayton

54 0 0.0
even if the passwords where encrypted, alot of companies use an md5 encryption, which can be reversed through a simple online md5 dictionary.

Posted:3 years ago

#12

Gregory Hommel
writer

91 53 0.6
This is all unfortunate. But I don't think Sony's reputation should be sullied in the least. This is the direct result of an attack aimed squarely at Sony, but the millions of users are just collateral damage. This attack has been brewing since the launch of the PS3 and frankly, I'm surprised it took this long. Hater will hate, always.

Posted:3 years ago

#13

Andrew Wilson
3D Artist

27 1 0.0
Surely that amount of raw data would take a long time to download, but they seem to be suggesting everyone who's signed up had their details taken.
You would hope that all the info going down the pipe to one place would've set off some sort of alarm...

Posted:3 years ago

#14

Joe Winkler
trained retail salesman

169 4 0.0
gamefront.de already posted the update. I would post the links, but I only found the german versions yet ;)


This is way bigger than I considerd..

Edit2: The passwords have been leaked as well.

Edited 2 times. Last edit by Joe Winkler on 27th April 2011 9:11am

Posted:3 years ago

#15
Ouch. Major PR disaster for Sony, be interesting to see how they handle it and the effect it has on them long term.

I also think they waited too long to tell people. Can see them being investigated by the authorities too, probably fined.

Posted:3 years ago

#16

Jay Filmer
Web Developer

8 0 0.0
@Jake Clayton

Sony should really be doing what most other people do: 'salt' the password when MD5ing, then salt the MD5'd pass, and MD5 once more. If you're salting with things like a combination of the user's email and last login/date registered timestamps then you're pretty safe and no online dictionary will be of any use.

Posted:3 years ago

#17
There is zero reason for passwords to be compromised: you only need to store a hash/checksum/MD5 of the password, which is *not* reversible to the password itself (when the use enters the password, you simply apply the same algorithm to the string the user entered and check if the codes match). If they were storing plain text (or even encrypted) passwords, that is kindergarden level incompetence and people need to be fired now.

However, credit card numbers are not so easy: when a purchase is made through a bank, the original details are needed. A MD5/hash is not adequate. You either get the user to enter the details every time - or you store the details in a *very* secure database, in a non-plain text (and encrypted) fashion.

Posted:3 years ago

#18

gi biz
;,pgc.eu

341 51 0.1
Keeping people uninformed is so Japanese... I wish I never bought fl0w from them! Hopefully that credit card has expired already, but I need to check tonight and yeah, neither I remember what password I used.
But hey, it is since my first website when I was 18 that I learned you only should keep a hash of users' passwords, what kind of interviews do they do to take people in?
And can't they just stop suing that guy and avoid the hole of shame they're crawling in?? With the upcoming "Wii 2" I would be very careful to keep what's left of my reputation intact.
It is common knowledge that in a war there are no winners, and at this point even if they catch the responsibles no one will care. God, they're so closed-minded I could faint!

Posted:3 years ago

#19

Andrew Goodchild
Studying development

1,241 400 0.3
@Michele. Didn't they stop suing him 2 weeks ago?

Posted:3 years ago

#20

Jamie Watson
Studying Bachelor of Games & Interactive Entertainment

179 0 0.0
i wonder what anonymous will say with all there attacks against sony.. (they have already said they didnt do this)

this is really bad for sony (PR,security etc) and for the users who have their credit cards tied to PSN..

hope they fix this..

Posted:3 years ago

#21

Joe Bognar
PR Account Executive / Journalist

99 2 0.0
Fun, fun fun! :/ Sony just made the biggest mistake of it's existence... Of course people say that hackers even broke into the Pentagon but still...

Why not tell everyone that the credit card details are gone too? Massive brainstorming sessions about what to say and how to say it. Also, they probably couldn't go to the computer because their knees were shaking. :)

Seriously... Just imagine if half of the PSN account owners sue for any reason... Why? I'm trying to think with the hackers' head: 'I just stole a massive amount of invaluable data. Sony and probably some sort of police is after me. I think I'll just take a month off and go to Cuba.' - (1 month later) 'Hello world!' :)

If these people have any brains, they will be able to achieve what they set out to achieve. Stealing money from bank accounts? Damaging Sony's reputation? ... I think Sony just got slapped in the face real hard and they will have to look forward to a really hard next few years.

Good luck Sony!

Posted:3 years ago

#22

Simon Paton
Studying Games Designer

1 0 0.0
Sounds like an inside job to me

Posted:3 years ago

#23

Chris Tux
Consultant

17 0 0.0
@ Simon

Because of the utter silence, I was wondering the same thing. Possibly a disgruntled employee who had access beyond what any hacker could gain.

The details of this are sure to be interesting.

However, the delay between PSN coming down and this acknowledgement by SCE is inexcusable. The culpability they have in not telling the customer about the possible loss of personal (credit card) data would surly make them liable for fraudulent charges between discovery and notification.

Posted:3 years ago

#24

gi biz
;,pgc.eu

341 51 0.1
@Andrew: I didn't see any news about that for a few days now, so I assumed the were insisting. If they did stop, and the guy is as free as before, then I take back what I said. But then I don't understand the reason behind this attack, other than the classical "I wanna prove myself I can beat some giant company for the sake of it".

Edited 1 times. Last edit by gi biz on 27th April 2011 10:52pm

Posted:3 years ago

#25

Login or register to post

Take part in the GamesIndustry community

Register now