Sony Loses 25 Million More Customer Account Details Through SOE (Sony Online Entertainment)

The New Acunetix V12 Engine


I actually misread this news at first and thought it was an additional leak from the Sony PlayStation Network (PSN) Hack that has been flooding the news, but sadly for Sony this is an entirely different hack carried out at the same time.

It turns out around the same time PSN got hacked SOE (Sony Entertainment Online) also got hacked and critically an ‘old’ payment details table was stolen that contained credit card details.

It looks like Sony has been hacked REAL hard this time, perhaps some splinter cell of Anonymous really is laying the smackdown on them.

Sony warned that personally identifiable information for an additional 25 million customers was exposed after discovering a massive security breach extended to its online computer games service.

The intrusion on Sony Online Entertainment systems exposed data for 24.6 million users, including their name, address, email address, birthdate, phone number, and login name. Those behind the attack likely also made off with passwords that were hashed, although Sony didn’t address critical details, including what hashing algorithm was used and whether random values known as salt were used to prevent crooks from converting hashes into cleartext.

Sony also warned that that the SOE attackers may also have stolen an “outdated database” that stored data for some 12,700 payment cards belonging to customers located in Europe. The majority of SOE card information was stored in a “main credit card database” that was “in a completely separate and secured environment” that Sony analysts don’t believe was accessed.

The warning came a day after Sony closed the SOE’s Station.com website, because investigators “discovered an issue that warrants enough concern for us to take the service down effective immediately.”

As mentioned in the previous post comments, Sony also warned that the PSN hack could have exposed 10 million credit card details.

The latest news is that SOE was hacked resulting in 25 million customer accounts being exposed and the possibility of 12,000 sets of payment details being exposed is there too.

If you add up the numbers – in one week Sony has managed to expose over 100 million user accounts, that’s quite a feat.


Combined with a previously reported hack on the company’s PlayStation Network, in which sensitive data for 78 million users is believed to have been stolen, the new disclosure means Sony has exposed personally identifiable information for 102.6 million user accounts. Sony has said that the passwords in the previously disclosed attack were also hashed, but so far hasn’t supplied the same crucial details.

For the first time, Sony hinted that it would compensate users for the cost of enrolling in programs designed to prevent identity theft. “The implementation will be at a local level and further details will be made available shortly in each region,” Tuesday’s press release from Sony said.

The company also said SOE users will get 30 free days of additional time on their subscriptions and compensation of one day for each day the system is down. Sony hasn’t said when it expects to restore SOE service. It has said that PSN and Qriocity services will be progressively restarted over the coming week.

The intrusion on SOE happened on April 16 and 17, around the same time as the attack on the PSN, from April 17 to April 19. Sony closed the PSN on April 20, but didn’t disclose the extent of the breach until six days later. Security experts have already said that the amount of information believed to have been stolen in the PSN hack, and the number of users affected, means the attackers had sustained access to the core parts of Sony’s network.

It seems like they are considering ways of compensating their users for the downtime, the same can’t be said for PSN as it’s a free service. I wonder if any more news is going to come out about this, if the main Sony database was breached that would be tragic.

I can see them getting in some hot legal waters over all this data-loss. There are rumours that the main credit card database was compromised, but so far Sony has denied this and stated there is no evidence pointing to that.

Either way it’s an interesting case and I’m just waiting to see where else it’s going to go.

Source: The Register

Posted in: Legal Issues, Privacy

, ,


Latest Posts:


Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.


2 Responses to Sony Loses 25 Million More Customer Account Details Through SOE (Sony Online Entertainment)

  1. DeborahS May 5, 2011 at 11:31 am #

    It is an interesting case. I wonder if this sequence of breaches will be big enough and serious enough to force a rethinking about the wisdom of keeping huge databases of user information on the web. It’s not really required to conduct business, and the practice certainly does expose people to a lot more harm than it does anybody good.

  2. Jen Wronski May 9, 2011 at 1:58 am #

    It’s going to be 18+ days before psn is restored. Fix the problem first then go head hunting for who’s responsible. Not the other way round