Sony Loses 25 Million More Customer Account Details Through SOE (Sony Online Entertainment)


I actually misread this news at first and thought it was an additional leak from the Sony PlayStation Network (PSN) Hack that has been flooding the news, but sadly for Sony this is an entirely different hack carried out at the same time.

It turns out around the same time PSN got hacked SOE (Sony Entertainment Online) also got hacked and critically an ‘old’ payment details table was stolen that contained credit card details.

It looks like Sony has been hacked REAL hard this time, perhaps some splinter cell of Anonymous really is laying the smackdown on them.

Sony warned that personally identifiable information for an additional 25 million customers was exposed after discovering a massive security breach extended to its online computer games service.

The intrusion on Sony Online Entertainment systems exposed data for 24.6 million users, including their name, address, email address, birthdate, phone number, and login name. Those behind the attack likely also made off with passwords that were hashed, although Sony didn’t address critical details, including what hashing algorithm was used and whether random values known as salt were used to prevent crooks from converting hashes into cleartext.

Sony also warned that that the SOE attackers may also have stolen an “outdated database” that stored data for some 12,700 payment cards belonging to customers located in Europe. The majority of SOE card information was stored in a “main credit card database” that was “in a completely separate and secured environment” that Sony analysts don’t believe was accessed.

The warning came a day after Sony closed the SOE’s Station.com website, because investigators “discovered an issue that warrants enough concern for us to take the service down effective immediately.”

As mentioned in the previous post comments, Sony also warned that the PSN hack could have exposed 10 million credit card details.

The latest news is that SOE was hacked resulting in 25 million customer accounts being exposed and the possibility of 12,000 sets of payment details being exposed is there too.

If you add up the numbers – in one week Sony has managed to expose over 100 million user accounts, that’s quite a feat.


Combined with a previously reported hack on the company’s PlayStation Network, in which sensitive data for 78 million users is believed to have been stolen, the new disclosure means Sony has exposed personally identifiable information for 102.6 million user accounts. Sony has said that the passwords in the previously disclosed attack were also hashed, but so far hasn’t supplied the same crucial details.

For the first time, Sony hinted that it would compensate users for the cost of enrolling in programs designed to prevent identity theft. “The implementation will be at a local level and further details will be made available shortly in each region,” Tuesday’s press release from Sony said.

The company also said SOE users will get 30 free days of additional time on their subscriptions and compensation of one day for each day the system is down. Sony hasn’t said when it expects to restore SOE service. It has said that PSN and Qriocity services will be progressively restarted over the coming week.

The intrusion on SOE happened on April 16 and 17, around the same time as the attack on the PSN, from April 17 to April 19. Sony closed the PSN on April 20, but didn’t disclose the extent of the breach until six days later. Security experts have already said that the amount of information believed to have been stolen in the PSN hack, and the number of users affected, means the attackers had sustained access to the core parts of Sony’s network.

It seems like they are considering ways of compensating their users for the downtime, the same can’t be said for PSN as it’s a free service. I wonder if any more news is going to come out about this, if the main Sony database was breached that would be tragic.

I can see them getting in some hot legal waters over all this data-loss. There are rumours that the main credit card database was compromised, but so far Sony has denied this and stated there is no evidence pointing to that.

Either way it’s an interesting case and I’m just waiting to see where else it’s going to go.

Source: The Register

Posted in: Legal Issues, Privacy

, ,


Latest Posts:


Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)
Binwalk - Firmware Security Analysis & Extraction Tool Binwalk – Firmware Security Analysis & Extraction Tool
Binwalk is a fast and easy to use Python-based firmware security analysis tool that allows for firmware analysis, reverse engineering & extracting of firmware.
zBang - Privileged Account Threat Detection Tool zBang – Privileged Account Threat Detection Tool
zBang is a risk assessment tool for Privileged Account Threat Detection on a scanned network, organizations & red teams can use it to identify attack vectors


2 Responses to Sony Loses 25 Million More Customer Account Details Through SOE (Sony Online Entertainment)

  1. DeborahS May 5, 2011 at 11:31 am #

    It is an interesting case. I wonder if this sequence of breaches will be big enough and serious enough to force a rethinking about the wisdom of keeping huge databases of user information on the web. It’s not really required to conduct business, and the practice certainly does expose people to a lot more harm than it does anybody good.

  2. Jen Wronski May 9, 2011 at 1:58 am #

    It’s going to be 18+ days before psn is restored. Fix the problem first then go head hunting for who’s responsible. Not the other way round