So after our report on Monday – Sony Rebuilding PlayStation Network (PSN) – Down 4 Days So Far – news had been spilling out about this whole thing pretty much non-stop. It appears the network is still down and there was some serious data loss including user data for millions of users being stolen.
All kinds of personal data was leaked including birth dates, names, e-mail address and it was originally though the hackers had also got hold of user credit card details.
A funny tweet I saw on the matter was “Hello my name is SONY. I like long walks on the beach, DRM, rootkits and losing your cc info.” from @rodolfor.
Sony is warning its millions of PlayStation Network users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts.
The stolen information may also include payment-card data, purchase history, billing addresses, and security answers used to change passwords, Sony said on Tuesday. The company plans to keep the hacked system offline for the time being, and to restore services gradually. The advisory also applies to users of Sony’s related Qriocity network.
Sony’s stunning admission came six days after the PlayStation Network was taken down following what the company described as an “external intrusion”.
Sony had already come under fire for a copyright lawsuit targeting customers who published instructions for unlocking the game console so it could run games and applications not officially sanctioned by the company. The criticism only grew after Sony lawyers sought detailed records belonging to hacker George Hotz, including the IP addresses of everyone who visited his jailbreaking website over a span of 26 months
What worries me is how much of their data was stored in plain text, I guess they assumed their system and network was so secure it would not be breached. But still, the important stuff should have been behind some kind of encryption layer and things like passwords should be hashed.
There was an official update from them too on the PlayStation blog here:
They did warn users to remain vigilant and provided ways on how to be prepared for credit card. There were some rumours going around that PSN users were seeing $10 debits from the credit cards they had linked to their PlayStation accounts.
Hackers howled with displeasure saying they should have a right to modify the hardware they legally own. Sony recently settled that case, but Hotz, whose hacker moniker is GeoHot, has remained highly critical of the company. Many have also objected to the removal of the so-called OtherOS, which allowed PlayStation 3 consoles to run Linux.
Sony’s advisory on Tuesday means that the company was likely storing passwords, credit card numbers, expiration dates, and other sensitive information unhashed and unencrypted on its servers. Sony didn’t say if its website complied with data-security standards established by the Payment Card Industry.
Sony reminded users located in the US that they’re entitled to receive one credit report per year from each of the three major credit bureaus. The company didn’t offer to pay for any sort of credit monitoring service to help ensure the information it lost isn’t used in identity-theft ruses against its users.
“When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password,” advises a letter that Sony is sending to its users.
The latest news is however that the credit card details are actually encrypted, so they should be safe. The details came from an updated in Q&A format from the PlayStation blog:
Their statement is as follows:
The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.
So the user data is out there but the credit card data should be safe, even if the table was stolen it’s encrypted – let’s hope the hacker didn’t swipe the keys too.
The case has also triggered a lawsuit with a user of the network suing Sony over the data loss, more from Information Week here:
Source: The Register
- Fitbit Vulnerability Means Your Tracker Could Spread Malware
- OWASP WebGoat – Deliberately Insecure Web Application
- WinRAR Vulnerability Is Complete Bullshit
- Sony Brings Back PSN & Gives Away Freebies After Hack
- Sony Loses 25 Million More Customer Account Details Through SOE (Sony Online Entertainment)
- Sony Rebuilding PlayStation Network (PSN) – Down 4 Days So Far
Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 232,343 views
- AJAX: Is your application secure enough? - 119,744 views
- eEye Launches 0-Day Exploit Tracker - 85,317 views