PSN Hack Details: Personal Information Compromised, Possibly Credit Cards - Change your Passwords

And so it seems the lawsuits are beginning to roll in. On top of the bad press on the removal of the OtherOS feature, this isn't looking good for them at all.

More detailed FAQ of PSN and the breach was posted too.

Also, demands for new laws being made.

( Edited 28.04.2011 15:11 by Modplan Man )

Longterm this can only be a good thing, a lot of companies will (hopefully!) be reviewing their security.

This is all Sony's fault, I can't believe a company could be so careless with their users personal information especially these days where identity theft is rampant.

By the sounds of it they didn't do it for the users personal information, but instead to send a message to Sony over the whole Geohot scandal.

I hope Sony suffers for this, not because of Geohot, but for letting their loyal fans down.

Sony has loyal fans?

Security expert Kevin Stevens of TrendMicro tweeted today (April 28) that low-level cybercriminals using "carder" online forums were offering to sell a database of 2.2 million credit-card numbers taken during the PlayStation Network breach.

Independent security blogger Brian Krebs then posted screenshots of four hackers discussing the purported database in a chat room.

"xxx: format is: fname, lnams, address, zipcode, country, phone, email, email password, dob, ccnum, cvv2, exp date," wrote user "Sutekh" in one of the screenshots.

In plain English, that's the first name, last name, address, postal code, country, telephone number, email address, email password, date of birth, credit-card number, credit-card security code and credit-card expiration date attached to each of 2.2 million accounts �" including "150k german ones," as Sutekh said in a different posting.

"Sony was supposedly offered a chance to buy the DB (database) back but didn't," tweeted Stevens.

Neither Stevens nor Krebs claimed to have seen the actual database being offered, and it almost sounds too good to be true. Why, for example, would Sony have the passwords to users' third-party email accounts, such as Yahoo or Gmail accounts?

SOURCE (full article).

This is just getting worse and worse. Nuclear fallout, for Sony. Their image is extremely damaged after this. That Americunt Jack Tretton must be really sweating. I predict a few resignations once the dust settles.

At least some parts of the PSN are set to be back on this week.

Each territory is to announce a set of content to give customers free. We'll also get 30 days of Playstation Plus(those with it will get an extra 30 days). Anyone with Qriocity will also 30 days

blog link

Love how PSN decides to go back up, when I plan to return to Uni.

Hooray free Plus.

If you haven't had your card cancelled yet - do so. My friend Ryan just phoned me to say ��£250 has gone out of his bank. For the record, ��£250 is the maximum daily withdrawal from his account.

I'm starting to hope that Sony gets sued into total bankruptcy over this.

Amethyst said:

Hooray free Plus.

Not that big of a 'hooray'. You'll be getting a month of PS Plus, but the PlayStation Store won't be back up until at least the end of this month according to Sony.

So most of the bonuses from having PS Plus are going to be null and void. By the time the 'Store is back up, your free month of PS Plus will certainly almost be over. Going by current performance of getting simple online play back up, it's highly plausible that your PS Plus will run out before the PlayStation Store is back online.

( Edited 03.05.2011 22:57 by Martin_ )

Martin_ said:
So most of the bonuses from having PS Plus are going to be null and void. By the time the 'Store is back up, your free month of PS Plus will certainly almost be over. Going by current performance of getting simple online play back up, it's highly plausible that your PS Plus will run out before the PlayStation Store is back online.

Scary news about your mate's bank card. I guess it's better to be safe than sorry now, so thanks for sharing.

Considering the store is important to plus, I would assume the month wouldn't start until that's back

1 month of free gameplay? WOW. How ridiculous - oh sorry, we've been hacked and your details have been shared, here have a free month on us!

Martin_ said:

Amethyst said:

Hooray free Plus.

Not that big of a 'hooray'. You'll be getting a month of PS Plus, but the PlayStation Store won't be back up until at least the end of this month according to Sony.

So most of the bonuses from having PS Plus are going to be null and void. By the time the 'Store is back up, your free month of PS Plus will certainly almost be over. Going by current performance of getting simple online play back up, it's highly plausible that your PS Plus will run out before the PlayStation Store is back online.

Fuck. I didn't realise that. I was hoping for free games from Sony, but yeah, that was a big hope that is now lost.

BUMP

Just a little update:
http://www.engadget.com/2011/05/02/sony-woes-continue-as-soe-confirms-data-breach/

Sony woes continue as SOE confirms data breach,
24.6 million accounts affected.

Are you starting to feel bad for Sony yet? No? Maybe this will change your mind. Sony Online Entertainment has, apparently, been the victim of another breach that has, according to Nikkei.com, resulted in the release of 12,700 credit card numbers -- and presumably some other information as well. 4,300 of those credit card numbers are said to be Japanese, but no saying how many are American. Thankfully, data is said to be from 2007, minimizing the number of still-valid credit cards exposed making us wonder if perhaps this wasn't some sort of backup that was exposed. Regardless, SOE's online services were taken offline earlier today and, well, now we know why. We're presently expecting further information from the company but, until then, feel free to continue cowering in the corner and quietly sobbing onto your compromised credit cards.

According to the Wall Street Journal, Sony has also confirmed that the latest attack accessed personal information for a staggering 24.6 million accounts. Such info includes names, addresses, telephone numbers, email addresses, gender, date of birth, login ID, and hashed passwords. Ruh roh. Full press release after the break.

EDIT: News is two days old, but just in case anyone missed it.

( Edited 04.05.2011 12:56 by Birdo Is A Tranny )

Latest update from Sony.

Today, the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on “The Threat of Data Theft to American Consumers.”

Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, submitted written answers to questions posed by the subcommittee about the large-scale, criminal cyber-attack we have experienced. We wanted to share those answers with you (click here).

In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:

1. Act with care and caution.
2. Provide relevant information to the public when it has been verified.
3. Take responsibility for our obligations to our customers.
4. Work with law enforcement authorities.

We also informed the subcommittee of the following:

* Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
* We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”
* By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.
* As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.
* Protecting individuals’ personal data is the highestpriority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.
* We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.

We told the subcommittee about our intent to offer complimentary identity theft protection to U.S. account holders and detailed the “Welcome Back” program that includes free downloads, 30 days of free membership in the
PlayStation Plus premium subscription service; 30 days of free service for Music Unlimited subscribers; and extending PlayStation Plus and Music Unlimited subscriptions for the number of days services were unavailable.

We are working around the clock to have some PlayStation Network services restored and we’ll be providing specific details shortly. We hope this update is helpful to you, and we will continue to keep you posted as we work to restore our network and provide you with both the entertainment and the security you deserve.

Kaz "Riiiiiiiiiiiidge Raceeeeer!!" Hirai's full letter to the US House of Representatives.

I don't like the part where only US customers are getting complimentary identity theft protection. What about the rest of us?

( Edited 04.05.2011 17:39 by Martin_ )

here's still going to be other free content besides the plus.

And since the main bonuses of a plus subscription are all store related, it would be stupid to give the customers the sub without the store. But then, it is Sony.

Panelists joined in. Dr. Gene Spafford of Purdue testified that Sony's system was weak, and that those weaknesses had been revealed on security mailing lists months before the breach. According to Spafford, key parts of Sony's PlayStation Network ran on Apache servers that "were unpatched and had no firewall installed." This was reported in a forum known to be frequented by Sony employees, he said, though no changes were made in the months leading up to the attack.

Without Sony or Epsilon present, much of the hearing focused on potential data protection legislation that would create some kind of process for auditing a company's data security measures to make sure they conform to best practices. Breach notification rules were also discussed, and the Federal Trade Commission pushed for Congress to give it civil penalty authority to go after companies that lose data through carelessness; in the last 10 years, the FTC has brought cases against 34 such companies, though it is currently limited in the penalties it can seek.

Can better standards really protect against such breaches? A Secret Service investigator at the hearing said that they could, adding that in his view, 96 percent of such breaches could have been avoided through straightforward, well-known security techniques. Sophisticated hackers do exist, of course, but they are rare. If companies can simply cut off script kiddie access to their systems, it will be a big step toward better data security.

http://arstechnica.com/tech-policy/news/2011/05/house-hearing-blasts-sonys-half-hearted-half-baked-hack-response.ars

lol @ Hirai's "highly sophisticated" claim.

Sony chief information officer, Shinji Hasejima (pictured), this week confessed at a Tokyo press conference that security measures could have been improved.

“The vulnerability [of the network] was a known vulnerability, one known of in the world. But Sony was not aware of it... was not convinced of it,” he said.

“We are now trying to improve aspects of it”.

Shiro Kambe, the senior vice president at Sony, also apologised for the oversight.

“We thought we had taken enough management and control measures [to ensure the network was secure], but looking back, there might have been room for further enhancement,” he said.

“We have to admit we were not fully sufficient.”

[...]

Sony repeatedly apologised at the press conference, beginning and ending the meeting with a ‘deep bow’.

The company explained that it was vulnerabilities in its web application server that caused the hack.

Rik Ferguson, both a PlayStation user and computer security expert at Trend Micro, said lax security controls for digital networks are not out of the ordinary.

“Unfortunately, it is common for companies to run servers that they know has vulnerabilities,” he told Develop.

“In the enterprise world, companies want maximum up-time. They don’t want to take their servers down, so they try to balance security with up-time.

“So companies try to deliver security patches in a bunch, say every few months. This of course means there’s a period of time when these vulnerabilities are not secured.

“Sadly a lot of companies are doing things this way”.

http://www.develop-online.net/news/37592/Sony-We-knew-PSN-security-flaws

Lol yup, I totally didn't trust him when he said that, either. At this point, he should be prosecuted for lying on that point (ie; giving false information to the investigation).

“The vulnerability [of the network] was a known vulnerability, one known of in the world. But Sony was not aware of it... was not convinced of it,” he said.

What the fuck am I reading?

We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”

Total.Utter.Bullshit.

( Edited 04.05.2011 18:49 by Birdo Is A Tranny )

Wow I think Sony just lost their company image, completely. I don't know if people will be comfortable to buy anymore of their online products.

http://blog.eu.playstation.com/2011/05/06/scee-identity-theft-protection-offering/

Sony offering 2 free PS3 games from a choice of 5, 2 PSP games from a choice of 4, in Europe. Titles not announced yet.

( Edited 06.05.2011 21:38 by Azuardo )

I'm literally about to dump my PS3 for an Xbox soon.
16 Hours from reopening it and getting hacked again truly says they don't know what they're doing.

PS3 System Software Update

We have been working on a new PS3 system software update that requires all PSN users to change their password once PlayStation Network is restored. The update (v3.61) is mandatory and is available now.

If using a PS3, your password can only be changed on your own PS3 (or a PS3 on which your PSN account was activated), as an added layer of security. If you have never downloaded any content using your account on the system, an email will be sent to the registered sign-in ID (email address) associated with your account when you first attempt to sign-in to PSN. This e-mail will contain a link that will enable you to change your password. In this email, click on the link and follow the instructions to change your password. Once you have changed your password you can sign-in to your account using your new password.

We strongly recommend that all PSN account holders with PS3s update their systems to prepare for when PlayStation Network is back online. The release of this update is a critical step as we work to make PlayStation Network significantly more secure. Thank you for your continued support and patience.

Also, a US map which shows which States the PSN is now live.

( Edited 15.05.2011 03:56 by Azuardo )

It's back up in the UK! Hoorah!

European Welcome Back package.

All existing PlayStation Network members will be able to access the following from PlayStation Store*:

Two PS3 games from the following list:

* LittleBigPlanet
* Infamous*
* Wipeout HD/Fury
* Ratchet and Clank: Quest for Booty
* Dead Nation*

For those with PSP accounts, you will also be eligible to download two PSP games from the following list:

* LittleBigPlanet PSP
* ModNation PSP
* Pursuit Force
* Killzone Liberation*