PlayStation Network Security Update

443 1

On Tuesday, April 26 we shared that some information that was compromised in connection with an illegal and unauthorized intrusion into our network. Once again, we’d like to apologize to the many users who were inconvenienced and worried about this situation.

We want to state this again given the increase in speculation about credit card information being used fraudulently. One report indicated that a group tried to sell millions of credit card numbers back to Sony. To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list.

One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.

To reiterate a few other security measures for your information: Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.

We continue to work with law enforcement and forensic experts to identify the criminals behind the attack. Once again, we apologize for causing users concern over this matter.

Our objective is to increase security so our customers can safely and confidently play games and use our network and media services. We will continue to provide updates as we have them.

Comments are closed.

443 Comments

1 Author Reply

  • Hey… I have caught up on my Blu-ray movie collection. Thanks Sony for holding my Killzone 3 DLC coupon so it didn’t expire. You guys are great. Can’t wait to play the maps.

  • I just bought a book called The Lure by Steve Schroeder. Maybe the people at Sony who work on the network should read this book. It’s about how the FBI caught Russian hackers and how to stop this kind of mess Sony is going through now.

  • SOOPERGOOMAN187 I would like this information!

  • @Mr. Seybold Wait, I’m confused about your response to #17’s post When I called Sony’s 800 # Sunday @ 2 pm Eastern, the rep had said, in as far as accessing one’s PSN account(s) once PSN is restored, you could do it from a PS3 so long as your profile was akready used on said specific PS3 prior to the outage.

    I bring this up because I have 2 PSN accounts & I no longer have the PS3s the accounts were created on (1st 1 was stolen. #2 & 3 were sent in to you last year for repairs). This account is for buying vids, while my other account is for gaming. My concern is that, while 1 account hasan up-to-date email address that I regularly check, the other PSN account has an old, out-of-date, & inactive email address associated w/ it that I haven’t touched in years. Honestly, I’m rather nervous over this to say the least, seeing as I bought alot of content via that PSN account. Could you please respond?

  • some new info would be nice

  • exterminator_123

    HOW CAN I CHANGE MY PASSWORD IF I CANT LOGIN LOL

  • How much did Sony save by sing a cryptographic hash function instead of encryption.

    And the links are above my head, is that the point? What the heck does making hash mean? Once the hackers broke in they got the data…stop pretending that you adequately secured it.

    Since..um….der….you didn’t…that’s why you have egg on your face.

    The new apology is good…the continued BS about how you were helpless is insulting.

    You didn’t protect our information….that’s morally wrong in today’s world.

  • As long as PSN is safe, I don’t mind how long it takes for it to come back up.

  • As someone actually paid to program for living, Hashing is how passwords are stored, encrypting password would be unneeded overhead. Sony didn’t do anything wrong beyond peeving a determined individual or group.

    Unless you don’t use the internet for effectively anything, your data has likely already been stolen before. Most companies don’t have the infrastructure or resources of Sony and are far easier to crack. If you knew how many attempts at internet theft happened you would be stunned. Be it going to a local store that has a email listing or as large as the case with Sony is.

    Hashing a password is adequate protection. Unless you use a common password, in which case hackers have hash table mappings of “reverse decrypting” common hashing. Of which you weren’t really using strong passwords to begin with.

    (cont.)

  • There is a limit to what you can realistically do with a name and address. As this is information that for most of us is available in a phone book, facebook, linkedin profile, or multiple other places. If you use the same login and the same password for every site, you’ve been warned for over a decade to stop doing this.

    Hopefully this incident will bring more global pressure on stopping illegal intrusions like this, as unfortunately this is how the world tends to work. Until something major happens, people aren’t willing to invest the time and resources to truly fix the root of the problem. Which largely stems down to the inability to govern the internet and hacking attempts because of multinational nature of the internet.

  • Thanks for all of the updates but give us a date :]

  • “Sony Online loses 12,700 credit card account numbers, 24.6 million accounts compromised [update]”
    –Joystiq

    Following up on this morning’s news that Sony Online Entertainment servers were offline across the board, SOE announced that it has lost 12,700 customer credit card numbers as the result of an attack, and roughly 24.6 million accounts may have been breached.

    The company took SOE servers offline after learning of the attack last evening, and today detailed the unfortunate results: “approximately 12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, the Netherlands, and Spain” were lost, apparently from “an outdated database from 2007.” Of the 12,700 total, 4,300 are alleged to be from Japan, while the remainder come from the aforementioned four European countries.

  • Joystiq
    Sony Online loses 12,700 credit card account numbers, 24.6 million accounts compromised [update]

    Following up on this morning’s news that Sony Online Entertainment servers were offline across the board, SOE announced that it has lost 12,700 customer credit card numbers as the result of an attack, and roughly 24.6 million accounts may have been breached.

  • (continued)

    The company took SOE servers offline after learning of the attack last evening, and today detailed the unfortunate results: “approximately 12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, the Netherlands, and Spain” were lost, apparently from “an outdated database from 2007.” Of the 12,700 total, 4,300 are alleged to be from Japan, while the remainder come from the aforementioned four European countries.

  • Something is wrong here… When I try to post, my posts often don’t get posted?

  • I use my PSN name for lots of things online… so I’m not going to change it. Passwords on the other hand have already been changed.

  • @hush404
    Yea.
    Same here.

    I use my PSN user name for a lot of things online (and i do have other user names for other things) so I don’t think I’m going to change it on my PS3..especially with all the trophies and game saves.

    I did also change my password to all the things I use (especially ones that deal with money) to a much more longer password…muahahah… I even took the extra step last week to get a new debit card mailed to me with new numbers. So the hackers can take my old debit card numbers as it’ll do nothing. And my bank is keeping an eye out on my account too.

  • @THEREDSOXLOVER
    Well you know Sony… They’ll keep saying that they’re “working around the clock” and promising that PSN “should” be back up “sometime” down the line.

    They did say it’ll be back up tomorrow, May 3, so we’ll just have to see if that turns out true. I’ve read that in some countries it came out yesterday or today.

  • To further what i_like_toast said.

    Sony wastn’t the only site attacked Apr. 17 – 21. It was one of the biggest. Also attacked was Amazon’s WC3 cloud infrastructure, a large State of Texas online site database of 30 million users (I think that number was inflated for political reasons). The two mentioned have already been made public.

    Supermoog.

    Dude, you’d best lay low man. These people have enough info from the PSN attack to finger you for their purposes, if they choose to do so. You are putting yourself in undue danger with your posts here, if there is anything but fantasy behind those posts.

    If these are not flights of fantasy, the best thing for you to have done would have been to silently turn your evidence over to your local FBI branch with an offer of further co-operation if they should choose to utilize it. Chances are they will take it and you never hear from them again. That would as to not compromise your safety.

  • You are dealing with a dangerous criminal element. I fear I may have put myself at jeopardy just pointing out these public and obvious facts.

    To the hackers and their puppet masters

    I am just a crazy paranoid delusional old man with obvious tendencies towards flights of fantasy. Which is why I sleep with a 12 ga. double action pump with round chambered and cocked, next to my bed. <};∞

  • …I just hope that the PSN gets back up tonight or tomorrow, and that the FBI and whatever other govt organizations around the world are involved, find the bastard/bastards who did all this.

    They need to be jailed, fine, etc.

  • Sorry soopergoo. I got you’re handle wrong up there. Supermoog should be soopermoog. But really man. Please consider your personal safety. Even if you’re your just spouting off on some kind of ego trip. You’re dealing with a dangerous criminal element. You shouldn’t be exposing yourself by making the posts you have.

  • Dang it! got it wrong again! Sorry soopergoo.

  • hmm, perhaps things are already getting better? I was unable to sign back into the blog the whole time, yet now, I am logged in…

  • Sony’s Been Hacked Again; Everquest and Other Games Are Offline

    Gaming and electronics giant Sony disclosed yet another attack by hackers that has resulted in the shutdown of yet another of its online gaming services.

    Sony said in this case, the personal data on some 26.4 million people who play Sony’s multiplayer games, including Everquest and Star Wars Galaxies, was accessed. The information stolen included names, addresses, account names and passwords. Additionally, some 12,700 non-U.S. credit and debit card numbers with their expiration dates plus an additional 10,000 direct debit records belonging to customers in Austria and Germany were taken. Sony described these as having come from an “outdated” database.

    Sony is already facing a steadily gathering legal and regulatory pile-on in the wake of a data breach in which the personal data of some 77 million customers of its PlayStation Gaming Network was compromised, including the credit card numbers of as many as 10 million people. Sony today declined to testify at a congressional hearing on the matter set for Wednesday.

    EEERG. Sony Secure your Data bases or you will be out of business.

  • @ KazeEternal (#23) You are corrected that the password hashing is one way cannot be reversed, but dictionary-based password cracking tools have been around for 20 years. They basically run the hashing algorithm on a database of millions of common cleartext passwords (usually based on words in the dictionary and common iterations) and then try to match the resulting hashed value with the list of PSN hashed passwords. Match the hash strings and you’ve essentially ‘cracked’ the hashed PSN password.

    With a decent password dictionary database and a big enough sample of hashed PSN password these automated password crackers could easily find a match on a large portion of those 77 million passwords in a matter of hours.

  • To those trumpeting the superior security of XBL. The main difference between Sony and Microsoft, is that the latter *never* admits or makes public it’s intrusions. Believe me, they have been attacked. Even when the big one’s happen, they complicit media down plays the fact that it was a failure of Microsoft. Microsoft makes the most insecure network OSes on the planet. Xbox and the XBL is built on top of those OSes.

    This comes from one who deals with or has dealt with practicailly every OS since the late 70’s.

  • I just read another article where Sony On-line has been breached. On Reuters.
    I do not think I can no longer trust Sony any more with my data. 2x they have been breached on 2 separate occasions. it appears that these hackers are exceedingly talented in there efforts to bring embarrassment to Sony.

    Frankly, if these hackers are not afraid of going in even while the FBI are doing there investigations, they have one hell of a system set up. I may not like em, But I do respect them. Now what if one attack brings forth cooperate personnel with all there data? I think the entire company of Sony is under attack. And I will even dare mention that these Attackers are capable of Attacking HQ in the US and or Japan.
    Unless stopped I think it will be only time before there main HQ and database are hacked. If that happens it truly will be a night mare. If I were Sony, I would watching all ends very closely.
    I wouldn’t put it past these peoples to make a really even bigger statement.
    and because of this I had purchased a camera over a year ago a So I am sure that the data is in an Older server . Which means it could have been hacked or is about to be hacked.

  • So any official date Sony?

  • The truth is any data server can be attacked, there are “Back Doors”, to every thing, and and where there is there is away..in truth if it is attached to the inter net, it can be hacked, rather it Be OSX, MS, Or even Linux.
    And I bet half the people here don’t even have there routers secured, or even Know what it means to secure it.
    and those of you tapping into those so called free sites, or an open router..Oh Joy, you have no clue at what you are letting slip through the cracks.
    so secure your routers be it line based or wireless based and for heavens sake up date your router’s software or get a new one. Routers can and do eventually become…out dated.

  • http://www.soe.com/securityupdate/pressrelease.vm

    Tokyo, May 3, 2011 – Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT). SOE is based in San Diego, California, U.S.A.

  • soe.com/securityupdate/pressrelease.vm

    Tokyo, May 3, 2011 – Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT). SOE is based in San Diego, California, U.S.A.

  • @datastorm #119 (well, currently atleast. I’ve seen my post numbers change in past posts)

    Yeah, you’re right. Any OS can be cracked. Which is why I think the litigation against Sony will (should) ultimately fail. I don’t see where they were criminally negligent. However, civil court is another matter.

    But some OSes are much harder than others. Your garden variety cracker is going to crack SE(Security Enchanced) Linux or AIX with the Enhanced Security suite installed and enabled.

    And even professional crackers are going to have to earn their keep to crack those. And if they do succeed, it is going to be because of an oversight on the part of the administrator(s).

    One of the best tools against network intrusions, TCP/IP tar pitting, was made illegal some years back. So much for active intrusion counter measures. Thanks Congress! The black hats solute you!

  • So I’m reading on other sites the cc/debit card data from SOE accounts has been stolen. Customer’s information that was kept on an outdated database. If the database is outdated why is the information still being kept?

    Now that Sony has announced they will endeavor to better serve their customers after this massive screw up will we see Sony offer to fix consoles that broke due to the YLOD issue for free, like Microsoft did?

  • @datastorm98632

    it’s the same breach, not another new one. Do some reading and relax. SOE simply didn’t think this had affected them, and then found out a couple days later, that it did.

  • #121
    Errata:
    “Your garden variety cracker is going to crack SE(Security Enchanced) Linux or AIX with the Enhanced Security suite installed and enabled.”

    Should read

    “Your garden variety cracker is *not* going to crack SE(Security Enchanced) Linux or AIX with the Enhanced Security suite installed and enabled.”

  • I didn’t know about the tar pitting of tcip…still learning a few things, Linux sure opens one eyes up to what goes on in the World of Computers. New to Linux new and still learning. ever since I got into Linux I learned more about what So called security Software doesn’t do rather then what it is suppose to do. Pay the big bucks and still vulnerable. There are simple things that people can do to eliminate or reduce breaches..CLOSE EVIL PORTS is one of them.. the fewer the ports the better. Sony rep told me to open up some ports when I was having data issues..I hung up on them..Heck no, I am not opening up ports on my router.

    at any rate Most of how to prevent breaches come with common sense.
    The Only down fall for Linux for thus far, but they have been improving is HD video editing..There working on it.

    But as for it being free..hey.. one can’t beat the price ..and I think that is one reason why people want the Other OS on the PS3. It was free, Many could do home work and such. and this security thing with the Other OS, well, that has been shot down. Sony was losing to much money on it…well that is there excuse…there Losing money period .

  • Does this mean PSN will not be up tomorrow then??

  • I think People are afraid if to many waves are made that they are going to lose there online gaming..That is sad when you fear the loss of something like a game then Loss of ones Money or one’s own security and peace of mind .. and that is why I believe a few here are up in arms. Face it there are those here that fear, that if people stand up for there rites and Sony is Guilty, I believe that they do indeed fear that they will either Lose a service or have to pay for it. As for Me I do not depend on a game to make me happy. I have a dog, a cat, a beautiful fiancée and a beautiful son, what more can a person ask for :) When it comes down to it, this is a fad and it too will pass..the PS3s will eventually die, the PS4 will come and Go, nothing is for ever. But when you have family, you have something wonderful.

  • I feel like rage quitting
    kgnahnahnakohnahjobonaoiubhnaobnaynbnaybnbajajjjjjjjhgajbbj,gghjggdtdfqgqsgapahihadjhvjhafkahfakagfjgjbajk,bga,bggalgllllllllllllllllllllalalgaghla

  • @Dante989
    Hard to say.. right now it would be foolish to for any one to make a guess as to when it will be up.
    But one thing is for sure, if Sony keeps getting attacked like this, there isn’t going to be much that the Company can do. and if there On-line Store that sells cameras and such gets hacked, well..I am not sure what to say on that one.

  • The outage obviously does not bode well for Sony, which has recorded high sales for PlayStation, but now sees that position threatened as competition from Microsoft’s (Nasdaq: MSFT ) Xbox 360 and soon-to-be-launched successor of the Nintendo (OTC BB: NTDOY.PK) Wii threaten sales. With mobile game sales in a fever thanks to mobile apps on Apple’s (Nasdaq: AAPL ) iPhone and other platforms, Sony’s position looks even more threatened. As an investor, what does the road ahead look like?

    This what real people are talking about. Its not about the “Doom and gloom” but it is reality.
    These are the questions that people are asking. Is Sony Going to “Survive” this?
    You see what you kids do not understand is this one Simple fact, We the Consumers don’t make the Decisions, People in Sales and in cooperations Decided it for us. we the Consumers then have a choice on rather to or not to purchase a product.But when investors get scared They do what they all do best. They Drop it like a bad potato.How does this effect us? The product gets canned or gets less support and game companies are starting to get skiddish..So Who and what are investors?

  • An individual who commits money to investment products with the expectation of financial return. Generally, the primary concern of an investor is to minimize risk while maximizing return, as opposed to a speculator, who is willing to accept a higher level of risk in the hopes of collecting higher-than-average profits.

  • Sony you bums

  • + Lopez9577 on May 2nd, 2011 at 9:28 pm said:
    “Sony you bums.”

    Sir, you are a troll. I have been following your posts since last Friday. You have nothing to contribute and obviously have no idea of the magnitude of the situation and what it can mean for all online gamers and business’.

    If you would like to discuss this matter further, please contact me once the Network is finally up and running. The name I am posting with here is the name I always use when on the PSN or throughout the internet. Please do contact me so that we can have a one on one via the XMB or within PlayStation Home.

    And no, I will not discuss this here with you though you will very likely feel very comfortable in doing so. But I will talk with you privately once everything is up and running. And if you wish, you can bring a friend. Please send me a friend request once the Network is up. I will very happily accept your request.

  • Hope my PS3 dont bacame an expensive movie player…

  • Okay so ITS TUESDAY AND NOW PSN WILL BE BACK UP!! :D RIGHT?? RIGHT??? yeah?? okay cool!! :D my bluetooth is charged and ready to go!! Spy planes, attack dogs and claymores coming soon!

  • “And I bet half the people here don’t even have there routers secured”

    I hope everyone sets up their home router and makes it very secure. If you don’t you’ll be hit. I have mine set up and do updates. When I check the log I see DOS attacks on it a lot. That seems to be computers all over the world pinging my IP address. I have my router email me once a day even. Anyone who sets up a wireless router now better check it out and make sure everything is secure.

  • where is it!!!!!!!!!!! >_<

  • Aaahahaah they lost more details! AHAahahahah

    REUTERS: Sony disclosed on Monday hackers had stolen the names, addresses and passwords of nearly 25 million more users than previously known less than a day after the Japanese company apologized for one of the worst break-ins in Internet history.

    Sony’s latest revelation comes after Sony No. 2 Kazuo Hirai announced measures had been put in place to avert another Playstation-type cyberattack, hoping to repair its tarnished image and reassure customers who might be pondering a shift to Microsoft’s Xbox.

    The Japanese electronics company said it discovered the break-in of its Sony Online Entertainment PC games network also led to the theft of 10,700 direct debit records from customers in Austria, Germany, the Netherlands and Spain and 12,700 non-U.S. credit or debit card numbers.

Please enter your date of birth.

Date of birth fields