May 25, 2012 - 05:30 PM EDT — AAPL: 562.29 (-3.03, -0.54%) | NASDAQ: 2837.53 (-1.85, -0.07%)

Sony admits utter PSN failure: Your personal data has been stolen

Tuesday, April 26, 2011 · 5:26 pm · 34 Comments

“Sony has finally come clean about the “external intrusion” that has caused the company to take down the PlayStation Network service, and the news is almost as bad as it can possibly get,” Ben Kuchera reports for Ars Technica. “The hackers have all your personal information, although Sony is still unsure about whether your credit card data is safe. Everything else on file when it comes to your account is in the hands of the hackers.”

“‘It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained,’ Sony announced. While the company claims that there is ‘no evidence’ that credit card information has been compromised, it won’t rule out the possibility,” Kuchera reports. “Their advice is to be safe, rather than sorry. ‘If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.’”

Kuchera reports, “There is still no update on when service will be restored, but that is the least of your concerns if you have a PlayStation Network account. It’s time to change your passwords, at the very least, and if you’re like to be completely safe it’s not a bad idea to cancel your credit or debit cards and request replacements.”

Thank You for supporting MacDailyNews!

♥ Adobe Photoshop CS6 Extended for Mac - Student and Teacher Edition DVD (65171323) only $249!
♥ Blowout: Apple 15.4" MacBook Pro i7/4Core/2.0GHz/4GB/500GB (MC721LL/A) only $1,549.99 + Free Shipping from MacMall
♥ Mac Madness Save 25% on Parallels Desktop 7!
♥ 15% Off Compatible Ink. 10% Off All Others (excludes OEMs). Free Shipping over $55. Coupon: 123BLOSSOM, Expires 6.18.12
♥ Save up to 60% at the Hammacher Schlemmer Special Values Sale-While supplies last.
♥ Dragon Dictate for Mac 2.5 - New! Simply Smarter Speech Recognition
♥ Up to 30% OFF Accessories from Verizon Wireless
♥ Limited Time Offer: Get free ZAGGsmartbuds when you buy a ZAGGsparq!

Comment Feed

34 Comments

Arnold Ziffel

Tuesday, April 26, 2011 - 5:41 pm · Reply

Go ChrissyOne!
- ChrissyOne
  
  Tuesday, April 26, 2011 - 5:57 pm · Reply
  
  I’m goin’ I’m goin’!!!
  - Tim
    
    Tuesday, April 26, 2011 - 9:43 pm · Reply
    
    I came for the SteveJack but I stay for the ChrissyOne.
    
    (Yeah that was pretty feeble. I really just mean that I tend to skim the articles, find and read Chrissy’s comments and move on.)
Predrag

Tuesday, April 26, 2011 - 5:41 pm · Reply

Sony is a very large company. As such, one would presume, they have internal, as well as external auditors who carefully scrutinise all security policies throughout the corporation. It is also safe to assume that the team responsible for the PS Network also had a professional, reasonably competent IT security contingent. In other words, this is not some one-man-show operation.

The point I’m trying to make is that it really does NOT matter at all how small or big a company is. Security of company’s (or customers’) data will in the end always depend on that one person who wrote some code or implemented some policy on some system. There may be multiple layers of management between that last person in the trenches and the head responsible for corporate security strategy, whose head would normally roll after a breach of such proportions. However, the hole is almost never caused by some large, systemic failure caused by poorly devised security policy strategy. It will most often be a simple omission of a proper patch, which leaver a possible vulnerability open for an exploit. Couple that with the sheer luck some hacker had in finding that vulnerability and the damage is done.

I don’t know the exact details of this event but it is quite likely that this kind of breach could happen to anyone, including Apple.

All we could say here is, couldn’t have happened to a nicer company……
- shinolashow
  
  Tuesday, April 26, 2011 - 6:53 pm · Reply
  
  So far it’s coming out they stored all user info in plain txt. sound like a competent company?
  
  It took them 6 days to release the fact user info was compromised. And this is over a week after they first got ass pwn3d by an actual anon op. Sorry man- this is going to be a textbook case of how to get a large customer base pwn3d and then fumble it all the way possible so your customers get max Eff’d. Also- it is not sheer luck. It’s sheer persistence and superior knowledge/skills on the hackers part that put Sony in the place they are today.
- Really?
  
  Tuesday, April 26, 2011 - 7:00 pm · Reply
  
  Doubt it. Probably would be safe to assume that Sony has professionals handling company data, very doubtful that the same security protocols would be in place on the network. Safer to assume that this standalone, commercial product utilizes as cheap a setup as possible, if not outsourced to a third party, outside contractor to minimize corporate liability. Notice how no indication was given as to accounts with Sony proper? Only this specific network was hacked. You get what you pay for.
  - shinolashow
    
    Tuesday, April 26, 2011 - 7:23 pm · Reply
    
    It would be safe to assume sony has professionals that handle the data.. that got stolen by hackers. yea- safe bet. lolz
    
    All your assumptions are inccorrect. NEXT!
G4Dualie

Tuesday, April 26, 2011 - 5:45 pm · Reply

What a shame. Nothing is sacred or safe anymore.

Why do I get the feeling the (hackers) perpetrators are living in Uzbekistan or Kazakhstan?
- MrMcLargeHuge
  
  Tuesday, April 26, 2011 - 5:53 pm · Reply
  
  Well, at first it was Anonymous, the sometimes gallant, sometimes terrorist-like group of hackers, initiating a Denial of Service attack as payback for Sony’s lawsuit against the PS3 hacker from California. It’s definitely possible Anonymous did this, but it would defeat the purpose of the mission, which was to harm Sony and defend consumers. Such is the nature of a hive-mind though.
  - G4Dualie
    
    Tuesday, April 26, 2011 - 5:57 pm · Reply
    
    Don’t you mean George Hotz, from Jersey?
    - MrMcLargeHuge
      
      Tuesday, April 26, 2011 - 6:01 pm · Reply
      
      I thought he was from California, but did the hacking in New Jersey, or do I have that backwards?
      - MrMcLargeHuge
        
        Tuesday, April 26, 2011 - 6:07 pm · Reply
        
        Just figured it out. Sony was suing him in California, and there was a big brouhaha about whether there was jurisdiction to do that.
  - Twolf3
    
    Tuesday, April 26, 2011 - 6:18 pm · Reply
    
    I wouldn’t put it past Sony to have faked this. Sure it delves into conspiracy theory territory, but if they needed to take it down to fix the holes, and they pull this… It causes everyone to look sideways at Anon, and “hackers” in general, who they were having problems with, and let’s them do the work they were going to do anyway but get to deflect the pissing about the network being down with a “this is for your safety” line.
    - shinolashow
      
      Tuesday, April 26, 2011 - 6:48 pm · Reply
      
      You may have had a point- but this is too terribly mismanaged by Sony to have any ulterior motives. i.e. they look moronic at this point and usually you’d want to pull a stunt off so it paints you in a good victimish light.. not a bumbling amateur light.
Petey

Tuesday, April 26, 2011 - 5:51 pm · Reply

Oh dear.

At least they are putting their (now ex) customers first.

I wonder, professional hackers employed by a conpetitor me thinks…
- G4Dualie
  
  Tuesday, April 26, 2011 - 6:08 pm · Reply
  
  It only took Sony six-days to finally get around to publicly announcing the security breech. Who knows though, it could be the hackers injected some code into Sony’s servers to keep Sony locked out.
  
  Sony had access to all 75-million customers’ email and should have notified them immediately regardless of the level of suspected damage. Especially where credit cards are concerned.
  
  I doubt this is one of Sony’s competitors and it certainly wasn’t some altruistic concern for PSN’s membership.
  
  I believe the motive was money and millions of fresh CC numbers to sell on the black market.
G4Dualie

Tuesday, April 26, 2011 - 5:54 pm · Reply

Here would be my first suspect…
- G4Dualie
  
  Tuesday, April 26, 2011 - 5:55 pm · Reply
  
  oops…
  
  http://en.wikipedia.org/wiki/George_Hotz
  - FTB
    
    Tuesday, April 26, 2011 - 7:49 pm · Reply
    
    I would have to agree.
    
    I only noticed PSN was down late friday, figured it was a new patch coming.. tried sat night same issue. got me wondering what was going on. Only monday did I actually do any research into the problem.
    All this cause of some asshat got mad about Sony removing Linux install capability from a game console..
    
    And i agree with what you said above, they REALLY should have sent out emails and such to warn customers.
    Anyone that has an ID theft problem now, and has/had a PSN account, should be able to sue Sony. It *could* have been prevented IF Sony told us in time. Major failure on Sony’s part.
    
    In a Dilemma here now.. as far as PS3/Xbox goes.. (I have both) I prefer PS3.
    Now with this.. Do i go back to Microsoft, or stick with Sony… no matter which i choose, i feel like i’m getting bent over.
    
    Hell… or do i say screw it and go Nintendo? lol
  - FTB
    
    Tuesday, April 26, 2011 - 8:18 pm · Reply
    
    “In 2008 he worked at Google as an intern, on the Google Street View project.”
    
    So thats how they were able to get all that data.
adefowler

Tuesday, April 26, 2011 - 5:59 pm · Reply

Please don’t be next Apple… review your security now.
Dan Brantley

Tuesday, April 26, 2011 - 6:07 pm · Reply

If Playstation Network is down – How does Sony expect us to log in and change anything?
- John
  
  Tuesday, April 26, 2011 - 6:12 pm · Reply
  
  Change your accounts everywhere else. Any place you may have used the same security questions, the same passwords, etc.
- G4Dualie
  
  Tuesday, April 26, 2011 - 6:22 pm · Reply
  
  You can’t until Patrick Seybold gives you the green light.
  
  The problem Sony has created for themselves and will draw the ire of millions of customers is, Sony told everyone on the 20th that they were experiencing trouble with the servers and would try and get back online as soon as possible.
  
  The following day, they said they were now investigating the cause of the failure. The day after that they concluded there was some “external intrusion”.
  
  Meanwhile, as late as the 25th Seybold was telling its membership that Sony was in the process of rebuilding the network to fortify its security and that it would be an intensive process.
  
  Only today did they make the membership aware that everyone’s privacy was compromised.
  
  Unsatisfactory! I can see it now, everyone of the executives was covering their own asses, trying to determine the extent of damage and who knew what when.
gksmith

Tuesday, April 26, 2011 - 6:10 pm · Reply

Inside job?
Ubermac

Tuesday, April 26, 2011 - 6:13 pm · Reply

Well good thing they didn’t maintain all their data on Windblows PeeCees…. or did they?

They probably did. However any security is only as good as any employee that can be hoaxes into giving up access info, such as Anonymous has recently done.
Shinolashow

Tuesday, April 26, 2011 - 6:24 pm · Reply

There’s a popular reddit article going around possibly explaining the intrusion:
http://tinyurl.com/PSNpwnag3Rumour

I’ve been on anonIRC… Funny stuff. Surely it’s not one of their ops any longer.. But I’m sure so many weaknesses were expand in their first attack that someone capitalized on it. Apparently, all the user info and CC#s were in plain txt. Who the fuck does that nowadays?
Granchingon

Tuesday, April 26, 2011 - 6:58 pm · Reply

I’m glad I didn’t buy a PS3!
pjs_boston

Tuesday, April 26, 2011 - 8:08 pm · Reply

Wow!

Don’t piss off Geohot!

He’s got scary friends!
Nightstar

Tuesday, April 26, 2011 - 10:06 pm · Reply

If was stored in plan text then Sony’s got some major problems. Can see the lawsuits on this if so…
Manbearpig

Tuesday, April 26, 2011 - 10:10 pm · Reply

wonder if the PSN will ever be online again.
Just wonderin

Tuesday, April 26, 2011 - 11:34 pm · Reply

perhaps Sony will be able to recover financially by installing secret DRM software on their music cd’s……

They should stick to clock radios
Backlash

Wednesday, April 27, 2011 - 4:17 pm · Reply

First lawsuit filed against Sony today.
I wonder how long till it’s a class action. I’d join when it does.
opsono

Friday, April 29, 2011 - 12:19 pm · Reply

Stupid question, perhaps, but I can’t find the answer anywhere- what OS was running on Sony’s servers for this attack? IMWTK.