PlayStation Network user data stolen

After nearly a week of little information Sony reveals that hackers did indeed gain access to subscriber personal information and possibly credit card numbers.

176

Nearly a week ago Sony pulled the plug on the PlayStation Network and Quirocity services in response to what was later revealed to be an "external intrusion" on the system. Since that time Sony has offered very little information to ease subscriber concerns over the safety of their personal data other than to say it was taking "the time necessary to provide the system with additional security."

In his latest report on the situation, Sony senior director corporate communications and social media Patrick Seybold revealed the sobering truth that user data had indeed been compromised. The following email will be going out to all PlayStation Network subscribers:

We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

    • Temporarily turned off PlayStation Network and Qriocity services;

    • Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and

    • Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.

    We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

    Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

    For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

    To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

    U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.

    We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.

    Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013

    Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

    TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

    You may wish to visit the web site of the U.S. Federal Trade Commission at www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; orwww.oag.state.md.us.

    We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1-800-345-7669 should you have any additional questions.

    Sincerely,

    Sony Computer Entertainment and Sony Network Entertainment

From The Chatty

  • reply
    April 26, 2011 1:18 PM

    Garnett Lee posted a new article, PlayStation Network user data hacked.

    After nearly a week of little information Sony reveals that hackers did indeed gain access to subscriber personal information and possibly credit card numbers.

    • reply
      April 26, 2011 1:23 PM

      Ugh...

    • reply
      April 26, 2011 1:24 PM

      Soooo should I be canceling my card at this point?

      • reply
        April 26, 2011 1:29 PM

        No, but you should be keeping an eye on it. It may be prudent to call your bank and ask what kind of protection you have against fraudulent charges, should they occur.

        • reply
          April 26, 2011 1:58 PM

          Yeah, I just called my CC company to ask about this. They offered to cancel my card but also said I wouldn't be on the hook for any unauthorized transactions that occur. It's a pretty small risk right now (imo) so I'll just leave things as is.

      • reply
        April 26, 2011 1:29 PM

        wondering the same. i guess weigh what is more likely the bigger pain in the ass, fixing your credit rating after fraud or changing shit in advance and setting up preauthorized payments again...

      • reply
        April 26, 2011 2:02 PM

        No. By law you're only liable for the first $50 of credit card fraud, and most companies don't even bother to charge you that, in the name of keeping good customer relations. The onus is on your credit card company, not you, so they are either super-safe and will be calling you if they see unusual activity, or they get what they deserve. You DO have an obligation to contact them if you see something before they do, however.

        What you need to worry about is your date of birth. Marry that off to your social security and they have the keys to the kingdom. A credit card number is a joke compared to that. Lots of mom-and-pop shops still print your entire credit card number and expiration date on the receipt. Those numbers are all over the place.

        Secondarily, if they order with your card, AND they have your home address now, they can order crap and have it delivered to your house, and then they can come grab it off the porch. That is a bigger pain in the ass for a variety of reasons, not the least of which is an unfortunate encounter with them. The CC companies will probably give you a harder time if you dispute shit that is sent to your doorstep, but it's common enough that you should still be OK.

      • reply
        April 26, 2011 2:09 PM

        after speaking with my bank just now, because i have a lot of bill-pay stuff already set with my account, my plan is keep a close eye on it, and their fraud dept. is already monitoring

        • reply
          April 26, 2011 2:11 PM

          It's just really shitty they sat on this information for a week. You could have notified your bank last week FFS

    • reply
      April 26, 2011 1:26 PM

      I have both a PS3 and Xbox 360, but this is why I don't choose "free". You really do get what you pay for - Not to say Microsoft has not been hacked but this is going to be bad for Sony.

      • reply
        April 26, 2011 1:29 PM

        LOL at "getting what you pay for".

        • reply
          April 26, 2011 7:23 PM

          I feel the experience I get from Live is worth paying for - its a lot cleaner and better than Sony's offering.

      • reply
        April 26, 2011 2:24 PM

        Oddly, this is a benefit to MS to be on a points based system and even retail cards to buy Gold subscriptions.

        • reply
          April 26, 2011 2:30 PM

          unless you make it so points can only be redeemed through retail cards, there's an account that feeds the points

    • reply
      April 26, 2011 1:27 PM

      Time to find some high quality lube Sony - you're about to take it hard and proper.

    • reply
      April 26, 2011 1:27 PM

      guess i am cancelling that card, wtf sony.

      • reply
        April 26, 2011 1:32 PM

        kind of disappointed they did not see this coming. keys out in the public, and whatnot

        • reply
          April 26, 2011 2:05 PM

          That is somewhat premature. See my above post and then make your decision.

    • reply
      April 26, 2011 1:27 PM

      what the fucking shit, they fucking tell us this now and still cant be certain if our credit card numbers have been taken? meanwhile the hackers also have every bit of information possible to steal your identity. for fuck's sake.

      • reply
        April 26, 2011 1:30 PM

        Don't worry, if you're in the US you're entitled to one free yearly credit report! I guess anyone not in the US is SOL though.

        • reply
          April 26, 2011 1:32 PM

          I thought they were supposed to pay for a year of credit monitoring if card information was stolen. But geez, yea, practically everything else to steal an identity was taken.

          • reply
            April 26, 2011 2:10 PM

            This varies by state and country. Given that PSN is available in 40 countries there's absolutely little chance that Sony's legal department has anything nearing a handle on the situation. At the very minimal some states require email notification about the issue, which we haven't seen yet. This is just an initial statement at this point; we're likely to be hearing about this for a long while.

          • reply
            April 26, 2011 3:23 PM

            even if they dont have my credit card number they got everything to make new credit cards

      • reply
        April 26, 2011 2:11 PM

        I think Sony's PR team must be the same PR team for the Fukushima plant

    • reply
      April 26, 2011 1:27 PM

      I've been using the internet for damn near 20 years now and i've never (as far as I know) had my personal information hacked. Until Now.

      GG Sony. I'll be canceling Plus as soon as I can and i'll always second guess you.

      • reply
        April 26, 2011 1:44 PM

        I'm with you... wtf sony...

      • reply
        April 26, 2011 1:59 PM

        Pretty much in the same situation.

        Gotta wonder tho. If stuff like GMail, PayPal and social networks get hacked, it's game over.

      • reply
        April 26, 2011 2:07 PM

        Interesting you put in the 20-year metric. Remember Microsoft Passport's Great Russian Hacking of 1995 and 1996, where about a million credit card numbers stored on the Passport servers were stolen over the course of several cracking intrusions? No?

        • reply
          April 26, 2011 2:14 PM

          I was 15, I had no CC then.

          • reply
            April 26, 2011 2:15 PM

            plus I never put my personal information up then (addresses, etc). Even now very few places have my information, psn, itunes, amazon, the big players. I guess no one is safe.

            • reply
              April 26, 2011 2:34 PM

              This is true. A quick google search reveals similar brouhahas milling over XBLA/Windows Live ID as well. The difference here is, the entire PSN service will be down for 2 weeks overall, whereas on other sites there was minimal, if any, service interruption (on the order of hours instead of weeks).

        • reply
          April 26, 2011 3:26 PM

          SIMPSONS DID IT

    • reply
      April 26, 2011 1:29 PM

      I cant believe how long they waited to tell everyone this information, fucking ridiculous.

      • reply
        April 26, 2011 1:51 PM

        Agreed, this is what gets me. A week with no word and our information floating around. I'd have had this dealt with day one if they'd said they'd lost subscriber information and possibly credit card numbers...They are seriously tanking after all the awesome they built up with the PSOne and PS2

    • reply
      April 26, 2011 1:31 PM

      Remain vigilant...lol

      • reply
        April 26, 2011 3:01 PM

        And get a second job should your credit be hosed.

    • reply
      April 26, 2011 1:32 PM

      Sony's going to get ripped up for this.

      • reply
        April 26, 2011 1:33 PM

        any psn users want to get in on the ground floor of a class action?

        • reply
          April 26, 2011 1:35 PM

          I think all of GT5 would, lots of drivers are lost in the ethereal remote racing :(

        • reply
          April 26, 2011 2:13 PM

          They got hacked. They'll just argue that they're the victim just as much as you are. Theyll say x dollars in sales were lost as a result of the store being down for however long.

      • reply
        April 26, 2011 1:34 PM

        Don't worry, GeoHot is on the case!

        • reply
          April 26, 2011 1:37 PM

          Hotz is probably laughing his ass off right about now.

          • reply
            April 26, 2011 1:41 PM

            Hotz likely had a PSN account too

            • reply
              April 26, 2011 1:52 PM

              Yeah but anyone with any security mentality would have not added their credit card number, used a unique username and password, and a spam email address. I can't believe people don't do this with every service. :(

            • reply
              April 26, 2011 10:21 PM

              Not anymore; he was banned from using ps3 hardware, wasn't he?

    • reply
      April 26, 2011 1:33 PM

      *sigh*

    • reply
      April 26, 2011 1:34 PM

      now would be a good time to enable 2 step verification if you use gmail
      http://gmailblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

      • reply
        April 26, 2011 1:51 PM

        Good stuff. thanks

      • reply
        April 26, 2011 2:14 PM

        Good lookin out. Thanks. Pretty much anything from WoW to your email needs these now.

      • reply
        April 26, 2011 2:15 PM

        *high five*

      • reply
        April 26, 2011 2:25 PM

        This needs to be bumped

      • reply
        April 26, 2011 2:33 PM

        So, if I turn this on, I have to have to access my phone every time I log into my gmail account?

        • reply
          April 26, 2011 2:34 PM

          only on each computer, every 30 days per

        • reply
          April 26, 2011 2:50 PM

          For example, you use the same password on psn as gmail they will get a 2nd screen after clicking login to enter the verification number (since its a different ip/computer) sent to your phone. The bonus is you're getting alerted asap to someone hacking you.

      • reply
        April 26, 2011 2:34 PM

        thanks!

      • reply
        April 26, 2011 2:36 PM

        Thanks that was really fun. Made me feel like a spy.

      • reply
        April 26, 2011 2:57 PM

        Apparently I need iOS 4 to use this :(

        • reply
          April 26, 2011 2:59 PM

          you'll have to set it to "other" and just use text messaging to get the code

          • reply
            April 26, 2011 5:04 PM

            Isn't the text message version actually better, because it notifies you when someone tries to use it? I'm not sure I understand the benefit to the app. I suppose the text message could in theory be intercepted, but in that case you're probably trying to hide things from the government, and Google won't help you there.

        • reply
          April 26, 2011 3:00 PM

          you don't need anything but a phone. You can get text messages or a voice call that tells you the numbers.

      • reply
        April 26, 2011 3:43 PM

        Already have this, but they need this type of security available on virtually everything, sadly.

        Amazon needs to get on their shit and have this setup as well.

      • reply
        April 26, 2011 8:30 PM

        Yup, I'm now set up. :\

      • reply
        April 26, 2011 9:17 PM

        This is fucking awesome. thanks.

      • reply
        April 27, 2011 2:59 AM

        Thanks!

    • reply
      April 26, 2011 1:36 PM

      Well, I guess it's a good thing I NEVER GOT MY CREDIT CARD TO WORK ON GODDAMNED PSN BECAUSE IT WOULD BE THE ONLY SERVICE TO REFUSE MY CARD NUMBER goddamnit.

      • reply
        April 26, 2011 2:01 PM

        lol same problem here. Sony is so retarded.

    • reply
      April 26, 2011 1:37 PM

      Oh just fucking great. :|

    • reply
      April 26, 2011 1:41 PM

      fucking sony. wtf.

    • reply
      April 26, 2011 1:41 PM

      Holy shit! Name, billing addresses, username, password, birthday, e-mail, secret question and answer, AND credit card number? That's a metric-fuckton of data!

      God damnit Sony!

    • reply
      April 26, 2011 1:42 PM

      I wonder if steam info would be compromised if folks signed in through PSN on Steam prior to the outage. In any case time to change passwords.

      • reply
        April 26, 2011 1:43 PM

        dunno exactly what information is exchanged when a PSN and Steam account are linked

        • reply
          April 27, 2011 4:02 AM

          Oh that puts a hole new wrinkle in this... honestly most(well at least) banks will put a flag on your card if they see any out of the ordinary activity on it. Trust mine has done that 3 times already when my tax returns for couple of years.

    • reply
      April 26, 2011 1:43 PM

      how about those hackers' principles now? guess it wasn't all about Linux :P

      • reply
        April 26, 2011 2:01 PM

        I'm wondering if someone used the devchannel hacks to get into all this info

        • reply
          April 26, 2011 2:04 PM

          this is most likely it. The PS3 hack was always known to have some serious potential for hacking at PSN

        • reply
          April 26, 2011 6:42 PM

          They suspended themselves from a ventilation shaft in the server room.

    • reply
      April 26, 2011 1:44 PM

      Nice. Good thing I have to wait until September to get a new free credit report. Great job, guys.

    • reply
      April 26, 2011 1:44 PM

      I seem to remember removing my credit card number from PSN. Is this possible? Or am I just imagining it from all the times I do it on iTunes?

      • reply
        April 26, 2011 1:44 PM

        you can do it on PSN

        • reply
          April 26, 2011 1:46 PM

          Okay then I have nothing to worry about. The password I used was unique to PSN, and the email address I used was my spam email.

          • reply
            April 26, 2011 1:55 PM

            Pretty sure I haven't bought anything after getting a new card, so that info's expired. And yeah different password and all that.

    • reply
      April 26, 2011 1:45 PM

      yikes

    • reply
      April 26, 2011 1:49 PM

      Holy crap.

    • reply
      April 26, 2011 1:49 PM

      I'm a bit concerned about their advice that people change their passwords. They didn't list "password" as something that might have been stolen, and if they know anything at all about computer security then they cannot possibly have anyone's password on record. (If this claim doesn't make sense, you should read about cryptographic hashes: http://en.wikipedia.org/wiki/Cryptographic_hash_function ).

      Did the hackers get such complete access that they have password digest files and can attack those offline?

      • reply
        April 26, 2011 1:50 PM

        I assume they got access to *everything* at this point since Sony is being so quiet on the issue.

        • reply
          April 26, 2011 1:53 PM

          This is the thing, though: Sony shouldn't have anyone's password in the first place, so it shouldn't be something anyone can steal.

          • reply
            April 26, 2011 2:10 PM

            It's gotta sit in a database somewhere though.

            • reply
              April 26, 2011 2:39 PM

              No, it doesn't. That's the beauty of cryptographic hashing. You can read about it in the article I linked above.

              • reply
                April 26, 2011 10:25 PM

                Assuming for a minute that the hackers gained access to username and password-hash pairs, a library attack on the hashed passwords becomes
                Very feasible. In that scenario, asking users to change their passwords makes sense.

            • reply
              April 26, 2011 7:22 PM

              Nope. It just needs to be pushed through a one way hash function and stored in that form.

              Imagine you have a function that takes a string and outputs a 128bit key. When a person registers an account, Sony would save that key in their password field. The actual string the user input would be discarded.

              Then every subsequent time the user logs in, it runs the password they entered through the same function and checks to see whether the output matches what they've stored.

              Their real password would never be stored anywhere.

      • reply
        April 26, 2011 1:51 PM

        Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

        • reply
          April 26, 2011 1:52 PM

          You're right: I misread. That's actually far scarier than this hack happening in the first place. The only reason to store a user password is because you don't know what you're doing.

          • reply
            April 26, 2011 2:01 PM

            It has to be stored somewhere, how would they know if you put in the correct password or not?

            • reply
              April 26, 2011 2:02 PM

              No, it doesn't. They should be storing a hash generated from the password, which they can then test your input against.

              • reply
                April 26, 2011 2:07 PM

                I'm wondering if they may have gotten access to the password hashes, but not the actual passwords, and just said that the passwords were compromised for simplicity's sake?

                • reply
                  April 26, 2011 2:13 PM

                  yeah i'm pretty sure it's for simplicity, and CYA for the random chance the same pass and hashing algorithm are repeated anywhere else

                  • reply
                    April 26, 2011 2:16 PM

                    Next week we find out that all the passwords were being encrypted with the PS3 root key.

                  • reply
                    April 26, 2011 2:44 PM

                    I wouldn't put it past them, but which is worse: a company that doesn't know the first thing about security, or one that is willing to say it doesn't just for the sake of simplicity during a security crisis?

                    • reply
                      April 26, 2011 2:46 PM

                      i have a feeling that whoever wrote the statement wasn't a security expert at all. possibly a lawyer or someone using stuff thrown out in an emergency conference room meeting of "hey what should we include in this message?"

                • reply
                  April 26, 2011 2:19 PM

                  I dunno; the wording seems to say clearly that passwords were compromised. If so, that says very, very bad things about Sony's internal security. If it's just hashes that's a different story, but I would think if that was the case the release would have said they "might" have been compromised, rather than including them definitely.

      • reply
        April 26, 2011 1:51 PM

        Oops, I misread: they did list "password". So they store passwords, meaning that Sony doesn't know the first thing about computer security.

        • reply
          April 26, 2011 1:59 PM

          You would be really surprised at how many companies do this or have lax security in general.

          • reply
            April 26, 2011 3:12 PM

            If they did, it's against the PCI Data Security Standards, with which Sony is required to be in compliance if they're handling credit card transactions, or else their payment processing provider is required to be in compliance. Maybe they're erring on the side of caution by saying the passwords have been compromised, but we saw what happened when Gawker got caught using plain old DES, which has been easily brute-forceable for over a decade.

            • reply
              April 26, 2011 3:15 PM

              That's true, but I have seen it happen at places that are required to do PCI and even have audits. Not at the company we were working for, but some of their partner banks were more than willing to send us secure stuff through regular email and FTP; we had to insist on doing it right before they'd go through the effort. It was an eye opener, to say the least.

      • reply
        April 26, 2011 1:52 PM

        Typically breaches like this the hashes are taken. But between rainbow tables and off-line attacks weak passwords are found, people typically reuse passwords, and that's the issue there. I think the bigger issue is security questions and answers were taken, which if you are like me and use non-sensical answers is a big deal.

        • reply
          April 26, 2011 1:57 PM

          I don't understand the problem with having your nonsensical answers exposed. Can you explain?

          • reply
            April 26, 2011 2:06 PM

            perhaps the nonsense question and answer is reused everywhere, despite different passwords

            • reply
              April 26, 2011 2:11 PM

              makes sense. "lies" (the nonsensical answer) are hard to remember unless you're consistent about them

            • reply
              April 26, 2011 2:41 PM

              I use nonsense for every security question that I know won't be used for two-factor authentication. I just mash the keyboard until I hit the character limit. I'm not sure why that information would help anyone if they already had my account password.

              • reply
                April 26, 2011 2:42 PM

                I don't think most people "mash the keyboard until I hit the character limit" for security questions is the thing.

                • reply
                  April 26, 2011 2:47 PM

                  I understand that it would be an issue for most people, but I assumed mancide's nonsensical answers were random, like mine. I can see how it would be a problem if they weren't random, but just lies in order to avoid being obvious.

          • reply
            April 27, 2011 5:52 AM

            I'm guessing he considers them un-guessable and re-uses them

        • reply
          April 26, 2011 3:16 PM

          With a sensible amount of salt, rainbow tables are not that helpful. And even if you can brute force a few passwords, that would still just be dangerous to a few people. (Although, celebrities beware!)

          It would take forever to brute force the whole PW database. I think they actually stored passwords though. Or they would have worded it differently, I think.

      • reply
        April 26, 2011 2:00 PM

        Yeah, I can't believe they were apparently storing passwords in cleartext for a giant commercial network like this. It's just absurd.

      • reply
        April 26, 2011 3:09 PM

        I wouldn't assume that they wouldn't store PWDs in the clear...

        • reply
          April 26, 2011 5:06 PM

          It doesn't matter whether they're in the clear or not. There is no need to store them at all.

      • reply
        April 26, 2011 6:29 PM

        People on Twitter suspect Sony has been storing passwords as plain text. If true, *facepalm*

        • reply
          April 26, 2011 10:12 PM

          Seems this has been the accusation for everything lately and it turns out to be a load of BS.

    • reply
      April 26, 2011 1:57 PM

      None of the credit companies will offer free fraud protection for me. Is the info from Sony wrong about that?

      • reply
        April 26, 2011 1:58 PM

        At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. - All three of them are telling me I have to pay for this service.

        • reply
          April 26, 2011 1:59 PM

          Don't people need at least the last 4 digits of your SSN to apply for credit anyway?

          • reply
            April 26, 2011 3:19 PM

            they've got your name, current address and date of birth and possibly whatever ID you can make with that on it so maybe they can find a way to get your SSN using that.

    • reply
      April 26, 2011 1:57 PM

      Didn't we see this coming anyway? Granted it would have been nicer to get a report like this sooner however its better to do some investigating rather than potentially crying wolf. Just think if Sony said without looking into it further that user data was compromised, just to discover later nothing was taken, we would have the same "WTF SONY?!?!" but this time it would be because people cancelled cards and all the good stuff, then find out it was for nothing.

      The backlash against Sony is expected, however some of it may be a bit unwarranted.

      • reply
        April 26, 2011 2:00 PM

        You can't wait one whole week before you report this kind of stuff. Even if it's just a very small chance, you gotta let people know.

        Nice of them to give some extra time to hackers.

        • reply
          April 26, 2011 2:47 PM

          Actually, you'd be surprised. Many companies wait weeks or even months after a data breach before notifying their customers, if they notify them at all.

          • reply
            April 26, 2011 3:09 PM

            even floating the possibility that it could have happened would likely have a negative effect on a publicly traded company

      • reply
        April 26, 2011 3:06 PM

        I'm having trouble coming up with a response that would really be an overreaction to "hackers broke into our system and made off with the data for our entire user base, including passwords and credit card numbers, we weren't able or willing to tell anyone for a week, and our system is so fucked that it will be down for an indefinite time into the future." That's basically a worst-case security scenario.

        I guess demands for summary execution might be an overreaction. Maybe.

    • reply
      April 26, 2011 1:59 PM

      Bring on PS4 because PS3 was/is a disaster.

      • reply
        April 26, 2011 3:06 PM

        Hey at least you can still get the four updates you need to play the game you just bought!

    • reply
      April 26, 2011 2:01 PM

      Rofl

    • reply
      April 26, 2011 2:06 PM

      Looks like it's time for me to finally get a PS3.

    • reply
      April 26, 2011 2:06 PM

      Now that explains it.

      Debug firmware allowed for pulling of data from PSN without checks, got it. So instead of just adding funds to steal PSN info, it was used to comb user data that probably had unprotected CC information.

      • reply
        April 26, 2011 3:08 PM

        Why were dev consoles able to talk to the production databases in the first place?

        • reply
          April 26, 2011 7:02 PM

          It sounds like entering the PS3 into Dev mode got you onto the network. Once they were onto the network, traffic was sniffable and further poking happened.

          My simple guess was some HTTP GET request would return a user's info given *some* parameter. Now that you're onto the network (and playing), you could sniff other user's PSN IDs and keep crawling. After enough IDs, you *may* be able to gain the pattern and build a larger crawl through all possible user combinations.

        • reply
          April 27, 2011 3:37 AM

          there was a Customer Firmware that was released that allowed that to happen. Something like happen with M&T bank a few years ago and another bank this year if U remember correctly. So all the outrage of how this can happen. It can, it has and it will happen again. Instead of black clothes, zip lines and glass cutters. They have computers.

    • reply
      April 26, 2011 2:08 PM

      How in the hell do people not hash and encrypt CC numbers these days? They make it sound like all of the data was in one flattened 'please take me table'.

      • reply
        April 26, 2011 2:10 PM

        They probably are encrypted, but that doesn't mean they can't hack it eventually.

      • reply
        April 26, 2011 2:20 PM

        You'd be surprised how many coders/developers/execs prefer ease and cost savings over security.

    • reply
      April 26, 2011 2:11 PM

      The class-action suit which will result from this is going to be staggering.

    • reply
      April 26, 2011 2:12 PM

      uuuuuuuuuuuggggghh come the F on

    • reply
      April 26, 2011 2:18 PM

      I bought a PS3 the other day knowing full well the situation. Its a great console but I feel they need to follow XBOX 360 in the network area. I wouldn't mind paying maybe 40 dollars for 6 months service or something. Long as it keeps it secure.

      I have always liked the PS, PS2, and PS3 and feel they will resolve this. Don't let this put you off buying a PS3.

      • reply
        April 26, 2011 5:33 PM

        Don't let your credit card and personal information being stolen dissuade you from getting a PS3...

    • reply
      April 26, 2011 2:21 PM

      Alright, let's talk about mitigation. What should we be doing?

      1. Cancel associated credit cards or keep an eye on them. I don't even know which one I used :/
      2. New email address passwords. I have done this recently so I should be fine.
      3. Anything else to look out for?

      • reply
        April 26, 2011 2:25 PM

        4.Change all account questions and answers on any service that uses them.

      • reply
        April 26, 2011 2:26 PM

        if you're really paranoid you might want to put credit bureaus on fraud alert, but without at least a partial SSN or SIN I don't think they can apply for credit in your name

        • reply
          April 26, 2011 2:32 PM

          yeah i'm not terribly worried on that front since PSN never asked for my social

    • reply
      April 26, 2011 2:24 PM

      It does everything!

      • reply
        April 26, 2011 2:36 PM

        It only does identity theft.

    • reply
      April 26, 2011 2:27 PM

      Update: For those who were asking, Sony has just confirmed to me there is currently no way to determine what password you were/are using on PSN. If you're worried at all, you should probably change your password used across the Internet.

      http://www.giantbomb.com/news/good-news-psn-back-maybe-within-a-week-bad-news-everything-else-updated/3084/

      Really Sony? Really?

      • reply
        April 26, 2011 2:33 PM

        you could imply from that that they do use password hashes, since they admit they can't access the passwords, and the earlier statement was just poorly written or written by someone who doesn't comprehend the semantic difference (likely a lawyer wrote that earlier statement)

        • reply
          April 26, 2011 2:36 PM

          No, you could not; quite the opposite, rather. It just means they don't currently have a system set up to look, and aren't going to.

          The fact that they didn't elaborate and instead again included passwords as compromised if anything suggests storing passwords in a retrievable format is even more likely.

          • reply
            April 26, 2011 2:42 PM

            i'd more likely chalk it up to poor communication in the earlier statement than try to read between the lines in it

            • reply
              April 26, 2011 2:55 PM

              Considering they flat out include passwords in the compromised info, it seems more like reading between the lines to guess that it wasn't really compromised.

              Don't get me wrong, I realize how absurd it would be for Sony to have stored the passwords in cleartext, but such things have happened before; I'm just going by what they themselves say.

              • reply
                April 26, 2011 3:05 PM

                when they say passwords they could in all likelihood mean hashed passwords knowing that even a hashed password can be readable if the underlying password is insecure enough through brute force / table lookup attacks.

                • reply
                  April 26, 2011 3:10 PM

                  or someone was told "password hash" and just wrote down "password" instead, not knowing the difference

                  • reply
                    April 26, 2011 3:12 PM

                    I agree, I'm just saying that's just as much "reading between the lines" as anything else.

                    Personally, the fact that they haven't clarified it yet kinda suggests there may not be anything to clarify - they may really just mean passwords.

                  • reply
                    April 26, 2011 10:31 PM

                    Any smart PR guy would confirm with a technical director of sort if the info in the announcement was complete and accurate. Not asking a nerd about the situation they don't understand (nerdy security stuff) before sending it out is just bad PR.

          • reply
            April 26, 2011 2:50 PM

            Plus even if they did have such a system, how would they verify that you're legit.

            • reply
              April 26, 2011 2:53 PM

              the fox asking the blind farmer for the keys to the henhouse? :P

        • reply
          April 26, 2011 6:30 PM

          Even if a hash of a password list was downloaded, they would still need to advise users to change their passwords. These are vulnerable to dictionary attacks, etc.

      • reply
        April 26, 2011 2:35 PM

        This most likely means that they were hashed and that they can't tell you the plain text of it. At least that sheds a little light on the questions above.

      • reply
        April 26, 2011 2:37 PM

        I'd be more worried if they could tell.

        • reply
          April 26, 2011 2:53 PM

          Oh, it's likely a good thing. Considering this statement and that you could only do password resets, not retrieval, in the past and it's safer to assume that the passwords were hashed. That means less reason to worry about the actual passwords being lost.

          However, I assume there's a fair amount of users who would like to be able to tell if the password matched anything else and would hope that Sony would setup a look up system to double check. It's likely just not technically feasible, though they can't outright say that. People will be likely be unhappy either way.

      • reply
        April 26, 2011 2:46 PM

        Of course not.. WTF?

    • reply
      April 26, 2011 2:38 PM

      Who wants to buy a PS3?

    • reply
      April 26, 2011 2:42 PM

      I have not a fucking clue what my username/password/CC info is on the PSN. Goes to show you how much I fire that console up.

    • gmd
      reply
      April 26, 2011 2:42 PM

      my card was cracked and I ordered a new one anyways and they change the number, works out.

    • reply
      April 26, 2011 2:47 PM

      So this ANON hive-mind...they very much have teeth amirite?

      • reply
        April 26, 2011 2:57 PM

        No reason to assume they were involved at all at this point; it seems more like other criminal intrusions than the stunts they've been pulling, and they (as much as a body without clear leadership can) have said they aren't involved.

        • reply
          April 26, 2011 3:12 PM

          ANON doesn't care about customer information or CC#s. When they go after dox it is to embarrass someone. They tend to target a specific person and leak all THEIR info.

          • reply
            April 26, 2011 3:13 PM

            you can't say that about all of anonymous, that goes against the inherent nature of anonymity. maybe a good portion of them do have goals other than trolling

            • gmd
              reply
              April 26, 2011 3:14 PM

              the hackers have proved a point, now consoles will be even more open and you can install all versions of linux! good job!

              • reply
                April 26, 2011 5:53 PM

                I for one can't wait to start downloading all my different Linux distros for my PS4/Wii2/NextBox!

            • reply
              April 26, 2011 3:17 PM

              Possible, but it would be contrary to their previous patterns of behavior.

              • reply
                April 26, 2011 3:18 PM

                Contrary to their behavior and beliefs. There are only a few members who have the skills to do real cracking like this, and they've always been absolutely tight about what they will and won't release.

      • reply
        April 26, 2011 4:06 PM

        I'm pretty sure this in relation to the CFW that allowed access to the developer network- not the DDOS that anon was doing.

    • reply
      April 26, 2011 2:49 PM

      Wow i'm guessing if they got all that info, they also have your credit card info. I almost bought a PS3 instead of dedicated Blu-ray player, happy i'm a cheap bastard.

    • reply
      April 26, 2011 2:58 PM

      I've been pondering getting a PS3, and oddly, this news doesn't change that.

    • reply
      April 26, 2011 3:02 PM

      Wow, I really can't believe they waited this long to say that user data was compromised. I'm extremely paranoid about this stuff! Luckily after the gawker security breach I learned my lesson and started making better use of password manager utilities as well has having individual passwords for each service/website that requires one. I also went ahead and cancelled the card associated with my psn account and had my bank send a replacement, just for good measure. I'm also going to place a 90 day fraud alert on my credit.

      Just another reminder that your data is never truly safe and its always important to do what you can to protect your info.

    • reply
      April 26, 2011 3:10 PM

      PASSWORD?!?! REALLY?!?! I've tried to not blow up too much about the Sony thing because I haven't been adversely affected so far, (I have a PSN acct, but no CC associated with it) but this is beyond the pale! Since the 70s it has been known and understood that you never ever ever store passwords!! There is a completely standard and pretty secure way of storing them which involves using a hash with salt. This allows you to verify a password without ever having to store it, and if your password db is ever compromised, the infiltrator can of course get into your systems but the passwords themselves are still protected.

      Sony seem to have ignored even the most simple, fundamental rules of secure coding that literally every programmer who ever handles a password should be embarrassed not to know. It shows a level of incompetency that is criminal, I think. Who knows what the hackers will do with the DB, but it's quite possible that there will be many, many accounts compromised because of this. People are sometimes lax with their passwords and reuse them... I'm sure everyone does to some degree. I use unique passwords for all but the most trivial things, but with the multitude of accounts people have to juggle these days, you just can't expect otherwise. However, you could expect Sony to conform to the least common denominator of security practices in the industry. Ugh... I am beyond disgusted.

      • reply
        April 26, 2011 3:11 PM

        we've discussed this at length, and it's debateable whether they actually meant the passwords or the hashes

      • reply
        April 26, 2011 3:12 PM

        Where does it say they were hashed? That doesn't stop people from cracking them with enough effort though.

        • reply
          April 26, 2011 3:18 PM

          I missed that thread, but I'm betting they stored passwords. I don't think they'd have worded the way they did otherwise. After all, they are going to get serious flak from the security people if they don't clear that up.

      • reply
        April 26, 2011 3:18 PM

        You're just speculating. Gawker stored hashed, salted passwords but it was still trivially easy for many simple passwords to get brute forced because Gawker used an old hashing algorithm that was very fast to compute. Even if PSN stored passwords using some current best-practice password storage scheme like brcypt, there's still the possibility of users' passwords being recovered - albeit slowly, at great computational expense. Maybe Sony did something stupid like using MD5, but it's possibly they're just assuming the worst even though it's a PR disaster.

        • reply
          April 26, 2011 3:24 PM

          In ideal cases, it would take an astronomically long time to brute force a best-practice hash... but then Sony also got caught using ECDSA in the PS3 firmware without randomizing the variable that said "please make this a random integer!", and that's how the private key got decrypted.

          • reply
            April 26, 2011 10:40 PM

            Wouldn't someone/group with this level of expertise have distributed computing at their fingertips? Perhaps through infected zombie PC's?

        • reply
          April 26, 2011 3:25 PM

          I think it's pretty informed speculation since it's the most simple reading of their statement. I would say that you're speculating that only hashes were leaked.

          Also, you're right about the Gawker leak, that was stupid of them. They used DES however. Even the now-"broken" MD5 with a sizable amount of salt would have been adequate to protect much of the list. It's like everyone has forgotten everything that was learned in the 90s about basic secure coding practices. :(

          • reply
            April 26, 2011 3:41 PM

            Proper implementations cost time and money and its easier and cheaper to just do it wrong. Especially when executives view IT and security as an expense.

            • reply
              April 26, 2011 4:05 PM

              Yeah, no kidding. Although in this case I don't think that's true. If someone came up to me and said I needed to store account info and they needed it done right away, I don't think I could honestly make the argument that I'd just store the pw in plain text to "save time". It's really not hard to just call a standard API or worst case add my own salt and hash it with SHA-2 or something.

        • reply
          April 26, 2011 3:29 PM

          To be fair, Sony specifically said passwords were compromised. The speculation is actually that they mean something different, because it's just hard to believe they could be that incompetent.

          • reply
            April 26, 2011 3:31 PM

            pretty much. Sony said passwords were compromised, that's as simple as it gets. Any other interpretation is reading between the lines at this point.

          • reply
            April 26, 2011 3:38 PM

            This is Sony we're talking about, though. After seeing them fall on their face this many times, I won't believe there's something that they're not incompetent enough to do.

          • reply
            April 26, 2011 8:08 PM

            Right, if they used a static salt (which is right in line with the security fuck-up that lead to the original hack) along with a weak hash like MD5 then even though the passwords aren't stored in plain text you can still create valid collisions and gain access.

            I don't think Sony is retarded enough to store that information in plain text, but I do think they're retarded enough to protect it poorly.

      • reply
        April 26, 2011 3:32 PM

        God dammit we need immediate clarification on this. HOW COULD THEY NOT STORE HASHES? WTF!?

        I'm so pissed right now.

        • reply
          April 26, 2011 3:42 PM

          Pretty sure I read yesterday that they've been caught transmitting credit card info in plaintext. Why does this surprise you?

          • reply
            April 26, 2011 4:01 PM

            Because it's something to incredibly fundamental that I find it impossible to believe that NO ONE working in that department thought to themselves, "well gee, I wonder if there's a better way to store people's passwords than just plain text in this database over there?"

            • reply
              April 26, 2011 4:03 PM

              Like I said, they've got a track record of these idiotic decisions. Plus, imagine the bureaucracy in a company that large. I imagine some distant manager hands down the specs and any rational employee faces nearly impossible odds for getting it changed. Maybe I'm wrong, but there's got to be some kind of explanation for the repeated failures of this magnitude.

            • reply
              April 26, 2011 4:05 PM

              We're talking about a company that also failed to do the "use a random number" part of generating their encryption keys.

            • reply
              April 26, 2011 5:16 PM

              Quite often someone does make a stink about it but upper management is like nah not worth the trouble, will cost too much money. Having specifically dealt with credit card processors and banks as I've noted before many store shit in plain text even though they aren't supposed to. The only reason you even find out is when someone hacks, but if determined hackers started really hitting all sorts of companies peoples data would be coming out left and right.

          • reply
            April 26, 2011 5:33 PM

            If this is true, they could face major fines. I'm no expert in the matter but I suspect that PCI compliance requires secure transfer of CCs in addition to the storage requirements.

            • reply
              April 26, 2011 5:49 PM

              They never would have been able to pass PCI compliance if they engineered it to work like this to begin with. There's no way they are plain text transferring or storing it because they wouldn't be allowed to do business in the first place.

            • reply
              April 26, 2011 10:43 PM

              Major fines or pocket change to Sony?

      • reply
        April 26, 2011 4:02 PM

        \m/ BEYOND THE PALE!!! \m/

    • reply
      April 26, 2011 3:11 PM

      I'm really really annoyed at Sony over this. kind of ridiculous that it took a week to get this info out. Now I have to go change a lot of passwords & watch my CC for the next few months(years).

    • reply
      April 26, 2011 3:21 PM

      Sooo glad I never signed up for a PSN account, and have only plugged an Ethernet cable into the PS3 three times to anonymously download the patches for Bayonetta, Catherine, and GT5.

    • reply
      April 26, 2011 3:22 PM

      So does this affect you if you've ever bought anything from Sony via CC? I think I've only used the psn store once and I can't remember if you link your CC with it or if you can choose to only input it for each purchase or if it would ever matter in this case.

      • reply
        April 26, 2011 3:27 PM

        If they ever had your CC, it's a safe bet they stored it. I would think they want to so you don't have to punch in a big number each time through a controller.

        • reply
          April 26, 2011 3:33 PM

          Lame. When it comes to credit cards I'd always rather take the time to punch it in instead of having it stored anywhere. I guess this is a wake up call to myself to think more about what I buy and where.

          But what really irks me is that the first time I ever use the PSN store was about a week and a half before this shit went down.

        • reply
          April 26, 2011 3:38 PM

          So for a service like amazon or steam where they specifically ask you "would you like us to save your CC info for faster check out next time?" does that mean they don't store it anywhere? I'm guessing they still do and that only really protects you from someone logging onto your computer and buying shit.

          • reply
            April 26, 2011 3:48 PM

            where's the confusion here?

            "would you like us to save your CC info for faster check out next time?"

            YES -> they save your CC info.

            NO -> they don't save your CC info.

            Either way they'll save authorization/confirmation number and transaction ids. If you choose No they won't save the card number or expiration date. If you say yes, they will store those encrypted, but won't store the card's security code.

          • reply
            April 26, 2011 4:01 PM

            It's hard to say without knowing their processes. I'm only making a guess about Sony in this case. I think it's a little different than website like Amazon. In the same way that iTunes always stores your CC because they don't think you'd want to punch it in over and over again on your iPhone to buy things. Websites frequently have a use-and-forget mode for CC input which is really nice to have, but I guess you just have to trust them on the "forget" part.

    • reply
      April 26, 2011 3:25 PM

      FFS Sony...

    • reply
      April 26, 2011 3:32 PM

      GG Sony. thanks for no info on our CC's

      • reply
        April 26, 2011 3:40 PM

        thinking better safe than sorry. it's the end of the month so as soon as my bills get charged to my CC i am going to phone into my bank and get a new credit card.

        • reply
          April 26, 2011 3:51 PM

          more or less what i'm planning on, just gotta get over the bill-pay hump

    • reply
      April 26, 2011 3:40 PM

      Hackers be hackin

    • reply
      April 26, 2011 3:44 PM

      How do you check your PSN info? I don't remember what CC I have stored on it.

      • reply
        April 26, 2011 3:46 PM

        i think you have to look through credit card statements :(

        • reply
          April 26, 2011 3:51 PM

          Look through your emails for ones from 'DoNotReply@ac.playstation.net" and it'll list the last 4-digits of the card used.

          http://www.joystiq.com/2011/04/26/sony-says-psn-intrusion-compromised-personal-info-hopes-to-ha/

          • reply
            April 26, 2011 4:05 PM

            Thank you for the info, helped a lot.

          • reply
            April 26, 2011 4:11 PM

            much thanks. This should probably be INF'd as well.

          • reply
            April 26, 2011 4:35 PM

            Nice, that helped. Luckily that cc# is expired and even though it's the same number, the date is changed so hopefully that's enough for me.

          • reply
            April 26, 2011 5:39 PM

            Thanks! This reassured me that they only have an expired CC number for me. I feel better :)

          • reply
            April 26, 2011 5:52 PM

            weird, the CC# part is blank but I do remember buying some PS1 game on PSN.

          • reply
            April 26, 2011 6:21 PM

            Hmm. I didn't receive an email.

          • reply
            April 26, 2011 6:46 PM

            interesting

            thanks.

          • reply
            April 26, 2011 8:37 PM

            son of a bitch, looks like I had used one on psn. Although the card is expired now as far as exp date and the security code. Think I will still cancel it tomorrow.

        • reply
          April 26, 2011 3:56 PM

          Found it, luckily I used a HSBC card that provides zero fraud liability coverage, whew!

          This situtation is still fucked up. I refuse to buy another PS3 or PSx game.

      • reply
        April 26, 2011 9:06 PM

        I used my card fairly recently to get Stacking. :/

    • reply
      April 26, 2011 3:48 PM

      Senator Richard Blumenthal (D, CT) wrote an open letter to Jack Tretton: http://gamepolitics.com/2011/04/26/richard-blumenthal-sends-letter-sony-over-psn-data-theft

      Dear Mr. Tretton:

      I am writing regarding a recent data breach of Sony’s PlayStation Network service. I am troubled by the failure of Sony to immediately notify affected customers of the breach and to extend adequate financial data security protections.

      It has been reported that on April 20, 2011, Sony’s PlayStation Network suffered an “external intrusion” and was subsequently disabled. News reports estimate that 50 million to 75 million consumers -- many of them children -- access the PlayStation Network for video and entertainment. I understand that the PlayStation Network allows users to store credit card information online to facilitate the purchasing of content such as games and movies through the PlayStation Network. A breach of such a widely used service immediately raises concerns of data privacy, identity theft, and other misuse of sensitive personal and financial data, such as names, email addresses, and credit and debit card information.

      When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Additionally, PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.

      I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised. Nor has Sony specified how it intends to protect these consumers.

      PlayStation Network users deserve more complete information on the data breach, as well as the assurance that their personal and financial information will be securely maintained. I appreciate your prompt response on this important issue.


      Sincerely,

      Richard Blumenthal
      United States Senate]i

      • reply
        April 26, 2011 3:52 PM

        the timing of that letter was before the statement, so it's possible that the letter helped push them to be more forthcoming

      • reply
        April 27, 2011 10:37 AM

        Um yeah he needs to worry about Balancing and passing a budget and gas prices.

    • reply
      April 26, 2011 3:53 PM

      Last Sony product I ever buy, its over faggots. I don't care if the next playstation sucks my cock, its fucking over Sony I QUIT YOU

      • reply
        April 26, 2011 5:07 PM

        that was me after discovering the sony walkman bean digital music player could only play ATRAC and all ym tracks had to be converted. And the rootkit thing

    • reply
      April 26, 2011 3:56 PM

      *sigh*

      Some serious bush league IT security over there at Sony with a healthy dash of terrible fucking PR management. They waited almost 10 days to tell customers that their personal and credit card information could have been compromised? Really? God damn.

      You can say "you get what you pay for" all day long and until you're blue in the face, but that's not remotely the issue. PSN+ members pay good money (and receive some fantastic benefits!), and it's not like the DCUO subscribers are getting anything for free. The problem is simply their set of security policies sucked and their lackadaisical attitude toward both resolving known vulnerabilities and keeping their customers informed over time has been inexcusable. That's just piss poor business no matter what the service is (free email or a free forum, web hosting, your phone provider, your utility service, a gambling website, etc).

      It'll be interesting to see what the long term effects are for Sony on this one (as a company, as a service provider, and as a general player in the market). Sure, they can have an outside, supposedly independent company assure everyone that their network is now secure, but who's really going to trust them and who's going to want to deal with a company that didn't take those steps in the first place? I mean, 75 million subscribers across 59 countries just had their account information leaked. That's a huge fuck up. Fucking huge fuck up.

      Oh well, I'm going back to playing some more Portal 2 so that I can shoot for that platinum trophy before PSN gets back up and my account syncs.

    • reply
      April 26, 2011 4:04 PM

      I guess it's a good thing I use a throw-away password for my PSN account. Now i don't feel so guilty for sharing all the stuff I bought with my friends.

      And i'll be getting a new CC issued to be on the safe side.

    • reply
      April 26, 2011 4:24 PM

      Strange, my iTunes account was hacked today...I used the same password for PSN...change those passwords folks! Weird thing was they didn't use my credit card I had on file, but changed it to another one and made two payments for 50 dollar gift certificates.

      • reply
        April 26, 2011 4:25 PM

        The credit card they used was probably a stolen number.

        • reply
          April 26, 2011 5:00 PM

          Yeah that is a pretty typical hack. They get into your account. Buy gift cards with a stolen credit card and then sell those gift cards and make lots of money that way. iTunes has had some major issues with this, and now has a stricter password requirement when you create an account or change your password.

    • reply
      April 26, 2011 4:31 PM

      Reason #1 Xbox LIVE isn't free: Because when it goes down, you have a reason to bitch ;)

      • reply
        April 26, 2011 4:49 PM

        having your information stolen isn't reason enough to bitch? :)

    • reply
      April 26, 2011 4:34 PM

      We all should really think about this here, there's no telling where or who this info was sold to or who has possession of it. Ive never been hacked or had my info stolen once in the 20 years I've been using computers. Going to use this as a opportunity to change all my info and get a fresh start just in case.

    • reply
      April 26, 2011 5:13 PM

      from now on, every site gets a random password from mashing on the keys. This is going to require me to use the Forgot My Password link each time! Best password security IMO.

      • gmd
        reply
        April 26, 2011 5:18 PM

        pen + paper for all passwords

      • reply
        April 26, 2011 6:02 PM

        Naw, just do what I do. I set up a system for my password instead of using the same password or variation across multiple sites. The password itself changes based on the name of the site/service I am logging into.

        This is not the method I use but an example would be:

        shacknews+solrflare = ssh0@lcr
        itunes+solrflare = ist0ulnr

        etc.

        That way you have multiple different complex passwords but it's easy to remember them for the site in question. Unless someone guesses the method itself my passwords are safe. Guessing a method is harder to do unless a hacker specifically targeted me and all the sites I use.

      • reply
        April 26, 2011 6:14 PM

        I went to every website I could recall having an account and generated a new, stronger password using KeePass. Of course, I managed to completely overlook PSN.

        • reply
          April 26, 2011 6:15 PM

          I did this a month ago, not tonight. Lucky timing.

      • reply
        April 26, 2011 10:56 PM

        Use LastPass's secure password generator (you can even set it up to a hotkey). It'll remember it for you securely.

      • reply
        April 26, 2011 5:47 PM

        Don't know what it means but it's interesting.... I only hope there's still good in this world of hackers that can get a better name for themselves and catch the ones that just want to be destructive with their work....

      • reply
        April 27, 2011 2:24 AM

        Wait a minute, they allowed their Apache access logs to be available from a public URL? Are you kidding me?

        What the fuck is wrong with this company?

    • reply
      April 26, 2011 5:46 PM

      Well, thank goodness I was still using my old spam-trap email address with my PSN account. I imagine those email addresses are going to get around now.

    • reply
      April 26, 2011 5:50 PM

      Don't forget to change your Microsoft Live account info, if you use the same username/password.

      Or any other account that uses the same combo, for that matter.

      • reply
        April 26, 2011 5:52 PM

        thankfully only my itunes account was like that, and i got to it before anything happened there

      • reply
        April 26, 2011 6:55 PM

        Live, Steam, itunes, gmail, twitter, skype, facebook...

        • reply
          April 26, 2011 7:04 PM

          I have a different username for twitter/skype/facebook, I guess I should change the password though.

    • reply
      April 26, 2011 6:31 PM

      I'm soooo looking forward to their opening speech at E3...they'll probably pretend it never happened...

    • reply
      April 26, 2011 6:40 PM

      Fortunately for me, the CC I had on PSN is long canceled and I haven't bought anything on it since I think Fat Princess.

      • reply
        April 26, 2011 6:46 PM

        ouch

      • reply
        April 26, 2011 6:55 PM

        I just realized that I'm in the same boat. AWESOME!!!

      • reply
        April 26, 2011 6:57 PM

        UNFORTUNATELY I updated my CC so I could get Xenogears :(

      • reply
        April 26, 2011 6:59 PM

        Exact same boat here lol. I just did an email search

      • reply
        April 26, 2011 7:04 PM

        Yup, same here. Last thing I bought was Fat Princess on 07/30/2009

    • reply
      April 26, 2011 6:50 PM

      Between this and the YLOD they can eat a dick. The YLOD is just as bad as the RROD except it's delayed until after 3-4 years. In some ways it's worse because the console is more expensive and it's out of warranty when it breaks. Every friend I know who has owned a 60gb has had to replace it.

      Sony won't be getting a penny from me next generation.

      • reply
        April 26, 2011 6:58 PM

        I think you're experience is just a case of bad luck. I mean, my 60gb and everyone i know who has one still rocks on fine till this day.

        But having PSN hacked and compromised to this level is just as bad (or even worse).

        • reply
          April 26, 2011 9:26 PM

          Do you actually use it for games? If you do, just give it time. It will happen.

      • reply
        April 26, 2011 8:59 PM

        I'm with ya. Sony has really screwed themselves with this debacle.

    • reply
      April 26, 2011 6:53 PM

      here's a big fuck you to Sony

    • reply
      April 26, 2011 6:57 PM

      It's headline article on CNN now. This will be a PR nightmare for Sony.

    • reply
      April 26, 2011 7:12 PM

      And we can all thank Anon for bringing this on Sony, what a great cause! So exciting to see a group of morons doing good on the internetz! When the playstations a brick with no games or PSN we can all thank them for this! What's their next big thing?

      If you can't tell I'm being sarcastic...

    • reply
      April 26, 2011 7:29 PM

      Anyone preemptively get a new credit card yet or are you playing wait and see?

      • reply
        April 26, 2011 7:31 PM

        wait and see at least until after I pay my bills

        • reply
          April 26, 2011 7:43 PM

          Same. Thankfully the credit card I used is easily sacrificed if I have to as it's just used for small online purchases while I keep my main credit card separate for the rare big/important stuff just for this reason. It also makes tracking strange transactions easier.

      • reply
        April 26, 2011 7:46 PM

        I'm still waiting...

      • reply
        April 26, 2011 9:34 PM

        I closed both my cards and had them re-issue me new ones since I'm not sure which card I was using on PSN currently (And the last thing I bought was back a year ago, so I can't check). It's no big deal, since I pay my bills with checks.

        It just means I can't buy anything on Steam until 5-6 business days. I hope they don't have a hot sale again.

    • reply
      April 26, 2011 7:31 PM

      Well, whether you believe them or not by this stage, they claim they didn't know the "full extent" until Monday.

      http://www.kotaku.com.au/2011/04/sony-didnt-know-severity-of-ps3-breach-until-monday/

      • reply
        April 26, 2011 7:33 PM

        i wonder what forensic analysis of a database is like. too bad probably nothing like CSI :(

      • reply
        April 27, 2011 2:17 AM

        Utter nonsense.

        Given the nature of a hack it is immediately obvious whether sensitive information can be gleaned from the resulting access. There are no 'data forensics' or 'outside experts' required to arrive at that conclusion.

        Jesus Christ, they employ the engineers who build, maintain, optimize, secure and debug the very network that was compromised. Are they expecting us to believe that those engineers threw their hands up with a "Fucked if we know what happened - let's get in the experts"?

    • reply
      April 26, 2011 7:38 PM

      Never had my CC, but I did give my real name and address. Pretty pissed right now.

      • reply
        April 26, 2011 7:42 PM

        I would like to know the secret questions/answers that they have on me as well.

        • reply
          April 26, 2011 7:52 PM

          I completely forgot what I put for that, I can guess the password by the length. This shit isn't suppose to happen with a company like sony >:(

    • reply
      April 26, 2011 7:47 PM

      To be honest, personally I'm only a bit annoyed rather than pissed about this. Of course, I understand if you had your credit card details saved in your account then you have every right to be angry.

      It's quite ironic how Sony touting the 70 million figure for number of PSN accounts has backfired on them. We all know it's likely due to mutliple accounts per person but the knee-jerk reaction of some naive "journalists" still state this figure to add a bit more drama.

    • reply
      April 26, 2011 7:52 PM

      Sony's PR and Security teams are racing to the bottom of the barrel. You warn people that their shit may be stolen a week after the fact?

    • reply
      April 26, 2011 7:53 PM

      This is messed up, I just got an email that got through my Gmail spam filter and included information about the state where I lived when I registered for PSN. It's trying to get me to "freeze" my credit report by sending all my personal information to random addresses they claim are the major credit bureaus.

      People who don't know any better are going to get owned hard by this type of social engineering...

      • reply
        April 26, 2011 8:17 PM

        seriously? already?!? fucking fuck Sony

      • reply
        April 26, 2011 8:40 PM

        wow

      • reply
        April 26, 2011 9:04 PM

        were they not these addresses?

        Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
        

        Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

        TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

        • reply
          April 26, 2011 9:05 PM

          (these are the addresses they posted on the blog and the addresses they said they'd be emailing everyone)

        • reply
          April 26, 2011 9:08 PM

          Equifax Security Freeze
          P.O. Box 105788
          Atlanta, GA 30348

          Experian Security Freeze
          P.O. Box 9554
          Allen, TX 75013

          Trans Union Security Freeze
          Fraud Victim Assistance Department
          P.O. Box 6790
          Fullerton, CA 92834

          • reply
            April 26, 2011 9:09 PM

            The email was sent by "playstation-email.com" (it seemed shady, didn't visit the website myself).

            • reply
              April 26, 2011 9:12 PM

              damn that is scary

              • reply
                April 26, 2011 9:25 PM

                Yeah. Here's the full email: It looks like it was copied the blog post you mentioned, but made some interesting edits (see the parts where you have to send $5 to the credit bureaus, and send your SSN among other personally identifiable information):

                http://pastebin.com/7Tz5wUTA

                • reply
                  April 26, 2011 9:28 PM

                  that's fucked. it got through spam too

                • reply
                  April 26, 2011 9:39 PM

                  well now i'm confused... there was no website or anything for social engineering... that entire email looks legit except for the from field...

                • reply
                  April 26, 2011 9:39 PM

                  I got a similar email from the same address. Looks like they are putting information specific for Mass. Law in that version. All links go to legit sites and they don't ask you to send info. Probably legit.

                  • reply
                    April 26, 2011 9:43 PM

                    asking for a social security number in there seems really shady

                    • reply
                      April 26, 2011 9:46 PM

                      you have to send ssn to the legit site if you want your report, guessing they are just also mentioning the snail mail out of some legal requirements.

                    • reply
                      April 26, 2011 9:48 PM

                      If you want to put a freeze on your credit report it says to mail your contact information, including social, to the credit guys. PO Boxes all looked legit as well in my 10 second google

                • reply
                  April 26, 2011 9:41 PM

                  jesus christ, if that's not legitimate....

                • Ebu
                  reply
                  April 26, 2011 9:47 PM

                  In a horrible addition to the shitty handling of all this, that is possibly an official carrier.

                  Innovyx was used by them earlier this year to send out updated TOS or some such, and I'm seeing some forum chatter about playstation-info.com being official and also being used to deliver some newsletters.

                  http://community.us.playstation.com/thread/3419557?start=0&tstart=0

                  Maybe not, but don't jump too far across that mat just yet.

                  • reply
                    April 26, 2011 9:48 PM

                    The TOS update email I received on 04/04/11 was sent by PlayStation_Network@playstation-email.com

                    • reply
                      April 26, 2011 9:59 PM

                      Yeah whoops, all my PSN correspondence HAD been using that carrier. Still, the instructions don't match what was on the Playstation blog...sending money and the last 5 addresses you lived to the credit bureaus? To PO Box numbers that don't match official addresses?

                      • reply
                        April 26, 2011 10:02 PM

                        They do match. Instructions are fine. Looks like they made modifications for specific state law.

                        http://www.atg.wa.gov/freezecharts.aspx ( ono they are also trying to steal me identity!)

                        • reply
                          April 26, 2011 10:12 PM

                          Fair enough, you win, congrats. Can you at least agree that the method of delivery of this fraud prevention information was poor, if it left this much reasonable doubt?

                          • reply
                            April 26, 2011 10:33 PM

                            good to know it's legit, but it's another example of Sony's lousy communications

                          • Ebu
                            reply
                            April 27, 2011 7:24 AM

                            Why are you being so bitter? Do you want someone to be sending you spam email? Really? We're all on the same team, here.

            • reply
              April 26, 2011 9:24 PM

              registered feb - 11 - 2011

            • reply
              April 26, 2011 9:46 PM

              that domain goes to Innovyx who is an email marketing firm for Sony. It's legit.

      • reply
        April 26, 2011 9:49 PM

        probably not related. the hackers already have all your personal info

      • reply
        April 26, 2011 9:50 PM

        nothingtoseehere,movealongfolks'd

    • reply
      April 26, 2011 10:04 PM

      Good thing they let people know their info is compromised ... a week after the fact. That's very kind of them.

      • reply
        April 26, 2011 10:15 PM

        They haven't emailed anything to me yet. If I wasn't actively looking for this information I would have no idea.

        • reply
          April 26, 2011 10:25 PM

          Yeah I've had no email either

    • reply
      April 26, 2011 10:43 PM

      y'know, i honestly expected a thousand-post megathread about this...

    • reply
      April 26, 2011 10:53 PM

      So what sort of effect do you think that this whole debacle will have on Sony's approach to their online service with the PS4, and it's lasting effects on the Playstation brand as a whole? I don't think that it will kill the Playstation brand as a whole, not by any means, but I have a feeling that you're going to see the next iteration of Sony's online presence be a much less "open", and likely a paid, model.

      • reply
        April 26, 2011 11:00 PM

        Sometimes I wonder if Sony is even capable of learning from technical fumbles. They've racked up quite a few in the last few years.

        • reply
          April 26, 2011 11:15 PM

          It makes you wonder sometimes what the hell is going on at the top at Sony. From the horrible PR gaffes leading up to the launch of the PS3, the constant contradictions when it came to backwards compatibility and rumble, Playstation Home's very existence, and this most recent debacle, it really seems like the executives are utterly disconnected from reality. It's like they're expecting the Sony name to let them weather any storm or dumb move without realizing that we're no longer in the Walkman days when they reigned supreme.

          • reply
            April 26, 2011 11:30 PM

            I'd like to argue with that, but really, I can't. What's funny is that in spite of all that I am actually reasonably happy with the PS3. Go figure.

            • reply
              April 26, 2011 11:39 PM

              i'm really happy with mine, despite all the gaffes

            • reply
              April 27, 2011 12:17 AM

              Oh yeah, I may not own a PS3, and I may utterly despise the XMB and have serious issues the approach they took to PSN, but I still like the system. I'm honestly probably going to pick up a PS3 before I replace my RROD'd launch 360 (R.I.P.), pretty much all of my gripes about PS3 as a platform have much more to do with Sony's PR and corporate image as it relates to the PS3 than they do with the actual system.

              Other than the controller, that is. I'm sorry, but the 360 controller just blows it out of the water. ;)

              • reply
                April 27, 2011 12:26 AM

                How can you hate the XMB? It's so simple and intuitive.

                • reply
                  April 27, 2011 12:47 AM

                  It's fine for simple stuff, but it does have limitations once submenus show up. You really see the weaknesses of the approach when navigating videos organized by folder on a network share.

                  • reply
                    April 27, 2011 12:50 AM

                    You think? I never had any issues with it, I navigated them largely the same way I did on PC.

                    • reply
                      April 27, 2011 1:01 AM

                      Well, yeah, I wouldn't have said it otherwise. In submenus if you press the wrong direction on the d-pad you lose your place entirely. It doesn't handle "back" properly.

                • reply
                  April 27, 2011 1:09 AM

                  Mostly from doing TRC checks, it made every flaw (major or minor) with the XMB become burned into my brain.

          • reply
            April 26, 2011 11:39 PM

            makes it pretty obvious that the top isn't run by the playstation team. bravia team probably

    • reply
      April 27, 2011 12:57 AM

      This is the lead story on CNN atm. Crazy

      • reply
        April 27, 2011 1:36 AM

        could've sworn this was actually submitted last month or the month before.

      • reply
        April 27, 2011 2:02 AM

        I'm pretty sure I saw that a while back. Maybe on Digital Foundry?

    • reply
      April 27, 2011 2:59 AM

      I fucking KNEW it. Where is our threadshitting Batman?

    • reply
      April 27, 2011 3:15 AM

      Also: what about non-US PSN users?

      • reply
        April 27, 2011 4:47 AM

        Yep, we're fucked too. Huzzah. Called VISA, they are aware of the situation and will block my cc if anything shady happens. But the password thing is killing me.

        How do i fix that?

        • reply
          April 27, 2011 4:51 AM

          Change your password?

          • reply
            April 27, 2011 4:52 AM

            ORLY.

            No, i mean how do i do this right from now on? Read about several passgenerating services, but i have no idea what's hot and what's not.

            • reply
              April 27, 2011 5:48 AM

              someone recommended keepass.com to me, I've not gone through and got it yet but will do it sometime this week

              I'm one of these idiots that use the same password for everything :)

              • reply
                April 27, 2011 5:56 AM

                Then we are both idiots, i guess. :(

    • reply
      April 27, 2011 5:18 AM

      email Password changed , my bank a card is tied to different email account, BoA is pretty good with keeping tabs on activity. They have locked my card on me before and I was the one that was buying stuff. worst comes to worst i can have new card and number in few days.

      Keeping an eye on my balance sheet to play it safe... of course when they said "External intrusion" red flags went up...

      Not shocked... Cyber crime is the new thing... this happen a year or two ago at M&T bank

    • reply
      April 27, 2011 3:16 PM

      For those who are looking to put a fraud alert on their file, here's the Experian link (obv the others would work as well, this just happened to be the one I googled) https://www.experian.com/fraud/center.html

    • reply
      April 27, 2011 3:18 PM

      Might just be me, but when sony was told it's on by group of hackers, everyone at shacknews lol'd 'n thought it was 13 year old kids, and now everything's apeshit, silly stuff

      http://www.blameitonthevoices.com/2011/04/anonymous-vs-sony.html

    • reply
      May 5, 2011 6:29 AM


      Hello, everybody, the good shoping place, the new season approaching, click in.
      Welcome to http://www.voguecatch.com
      Air Jordan (1-24) shoes $35
      UGG BOOT $50
      Nike shox (R4, NZ, OZ, TL1, TL2, TL3) $35
      Handbags ( Coach Lv fendi D&G) $35
      T-shirts (polo, ed hardy, lacoste) $16
      Jean (True Religion, ed hardy, coogi)$34
      Sunglasses ( Oakey, coach, Gucci, Armaini)$15
      New era cap $16
      Bikini (Ed hardy, polo) $18
      FREE SHIPPING
      http://www.voguecatch.com

      http://www.voguecatch.com

      http://www.voguecatch.com

      http://www.voguecatch.com