Sony Loses 25 Million More Customer Account Details Through SOE (Sony Online Entertainment)

The New Acunetix V12 Engine


I actually misread this news at first and thought it was an additional leak from the Sony PlayStation Network (PSN) Hack that has been flooding the news, but sadly for Sony this is an entirely different hack carried out at the same time.

It turns out around the same time PSN got hacked SOE (Sony Entertainment Online) also got hacked and critically an ‘old’ payment details table was stolen that contained credit card details.

It looks like Sony has been hacked REAL hard this time, perhaps some splinter cell of Anonymous really is laying the smackdown on them.

Sony warned that personally identifiable information for an additional 25 million customers was exposed after discovering a massive security breach extended to its online computer games service.

The intrusion on Sony Online Entertainment systems exposed data for 24.6 million users, including their name, address, email address, birthdate, phone number, and login name. Those behind the attack likely also made off with passwords that were hashed, although Sony didn’t address critical details, including what hashing algorithm was used and whether random values known as salt were used to prevent crooks from converting hashes into cleartext.

Sony also warned that that the SOE attackers may also have stolen an “outdated database” that stored data for some 12,700 payment cards belonging to customers located in Europe. The majority of SOE card information was stored in a “main credit card database” that was “in a completely separate and secured environment” that Sony analysts don’t believe was accessed.

The warning came a day after Sony closed the SOE’s Station.com website, because investigators “discovered an issue that warrants enough concern for us to take the service down effective immediately.”

As mentioned in the previous post comments, Sony also warned that the PSN hack could have exposed 10 million credit card details.

The latest news is that SOE was hacked resulting in 25 million customer accounts being exposed and the possibility of 12,000 sets of payment details being exposed is there too.

If you add up the numbers – in one week Sony has managed to expose over 100 million user accounts, that’s quite a feat.


Combined with a previously reported hack on the company’s PlayStation Network, in which sensitive data for 78 million users is believed to have been stolen, the new disclosure means Sony has exposed personally identifiable information for 102.6 million user accounts. Sony has said that the passwords in the previously disclosed attack were also hashed, but so far hasn’t supplied the same crucial details.

For the first time, Sony hinted that it would compensate users for the cost of enrolling in programs designed to prevent identity theft. “The implementation will be at a local level and further details will be made available shortly in each region,” Tuesday’s press release from Sony said.

The company also said SOE users will get 30 free days of additional time on their subscriptions and compensation of one day for each day the system is down. Sony hasn’t said when it expects to restore SOE service. It has said that PSN and Qriocity services will be progressively restarted over the coming week.

The intrusion on SOE happened on April 16 and 17, around the same time as the attack on the PSN, from April 17 to April 19. Sony closed the PSN on April 20, but didn’t disclose the extent of the breach until six days later. Security experts have already said that the amount of information believed to have been stolen in the PSN hack, and the number of users affected, means the attackers had sustained access to the core parts of Sony’s network.

It seems like they are considering ways of compensating their users for the downtime, the same can’t be said for PSN as it’s a free service. I wonder if any more news is going to come out about this, if the main Sony database was breached that would be tragic.

I can see them getting in some hot legal waters over all this data-loss. There are rumours that the main credit card database was compromised, but so far Sony has denied this and stated there is no evidence pointing to that.

Either way it’s an interesting case and I’m just waiting to see where else it’s going to go.

Source: The Register

Posted in: Legal Issues, Privacy

, ,


Latest Posts:


Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.
HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.


2 Responses to Sony Loses 25 Million More Customer Account Details Through SOE (Sony Online Entertainment)

  1. DeborahS May 5, 2011 at 11:31 am #

    It is an interesting case. I wonder if this sequence of breaches will be big enough and serious enough to force a rethinking about the wisdom of keeping huge databases of user information on the web. It’s not really required to conduct business, and the practice certainly does expose people to a lot more harm than it does anybody good.

  2. Jen Wronski May 9, 2011 at 1:58 am #

    It’s going to be 18+ days before psn is restored. Fix the problem first then go head hunting for who’s responsible. Not the other way round