Sections

SOE: 12,700 old CC numbers, 10,700 DD records breached

Tuesday, 3rd May 2011 02:03 GMT By Jessica Citizen

The hits just keep coming for Sony. Following all-too-soon after the news that Sony Online Entertainment servers had been taken offline, the company has now confirmed that it “may” have lost 12,700 customer credit card numbers.

Sony Online Entertainment

According to the hardware giant, approximately 24.6 million accounts may have been breached, including “approximately 12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.”

SOE insists, according to GI.biz, that out of the 12,700 non-US cards, only 900 remain active today and are still usable, however.

To help you breathe slightly more easily, the information stolen was from an “outdated database from 2007″. Of the full number, 4,300 of the cards are allegedly from Japan, while the remainder are from Europe.

SOE said in an email to customers this morning that: “There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.”

Despite Sony’s repeated claims that the PSN servers and SOE servers are not part of the same network, the theft has been tied directly to the recent PlayStation Network and Qriocity attacks, which saw customer information compromised on either April 16 or 17.

Sony confirmed over the weekend that PSN will start to come back online this week.

The full press release is below.

Tokyo, May 3, 2011 – Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT). SOE is based in San Diego, California, U.S.A.

This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.

With the current outage of the PlayStation® Network and Qriocity™ services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system. Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.

On May 1, Sony apologized to its customers for the inconvenience caused by its network services outages. The company is working with the FBI and continuing its own full investigation while working to restore all services.

Sony is making this disclosure as quickly as possible after the discovery of the theft, and the company has posted information on its website and will send e-mails to all consumers whose data may have been stolen.

The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:
· name
· address
· e-mail address
· birthdate
· gender
· phone number
· login name
· hashed password.

In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:
· bank account number
· customer name
· account name
· customer address.

SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a “make good” plan for its PlayStation®3 MMOs (DC Universe Online and Free Realms). More information will be released this week.

Additionally, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.

Sony Online Entertainment LLC (SOE) has been a recognized worldwide leader in massively multiplayer online games since 1999. Best known for its blockbuster hits and franchises, including EverQuest®, EverQuest® II, Champions of Norrath®, PlanetSide®, Free Realms®, Clone Wars Adventures™, and DC Universe Online™, SOE creates, develops and provides compelling online entertainment for virtually all platforms, including the PlayStation®3 Computer Entertainment System, Personal Computer, mobile and social networks. SOE is building on its proven legacy and pioneering the future of the interactive entertainment space through creative development and inspired gameplay design for audiences of all ages. To learn more, visit www.soe.com.

For more information and update about the SOE services, please visit www.soe.com/securityupdate.

Latest

58 Comments

Sign in to post a comment.

  1. NightCrawler1970

    quote “Despite Sony’s repeated claims that the PSN servers and SOE servers are not part of the same network” NO SHIT SHERLOCK… if that gonna happens, hackers are in heaven…

    #1 3 years ago
  2. daytripper

    the cost of all this to fix/compensate gamers must be great.

    #2 3 years ago
  3. IL DUCE

    Four words: SONY…IS…A….JOKE

    #3 3 years ago
  4. AJacks92

    LOL @ VG247 blog before this ;)

    #4 3 years ago
  5. G1GAHURTZ

    This mess just keeps getting worse, day by day.

    Sony are going to have to work extremely hard in order to get people’s trust back.

    #5 3 years ago
  6. Dr.Ghettoblaster

    Really now this is just un-fucking-believable. Doesn’t it have to be those Annonymous assholes? I mean they warned Sony publicly that bad shit was gonna happen, and here it is.

    #6 3 years ago
  7. Dr.Ghettoblaster

    *UPDATE* “NOT A SECOND ATTACK”

    Update, 9:03PM EST: SOE has provided us with the following statement, in which it confirms that its user data was stolen as part of the original intrusion — not a second attack. “While the two systems are distinct and operated separately, given that they are both under the SONY umbrella, there is some degree of architecture that overlaps. The intrusions were similar in nature. This is NOT a second attack; new information has been discovered as part of our ongoing investigation of the external intrusion in April.”

    http://www.joystiq.com/2011/05/02/sony-hit-with-second-attack-loses-12-700-credit-card-nu/

    #7 3 years ago
  8. theevilaires

    Lol you change the main page article pic. I guess you’re going for full fool impact in the euro morning. Btw master card is shit a VISA logo would look better :P

    #8 3 years ago
  9. Patrick Garratt

    Yeah. Illustrating a story about credit cards with a credit card is PURE SENSATIONALISM ;)

    #9 3 years ago
  10. f1r3storm

    God damn Sony… at least i didn’t use my CC there in 2007.

    #10 3 years ago
  11. Schindet Nemo

    So Central Europe got hit the hardest i take it? Guess i have to cancel my CC anyway.

    #11 3 years ago
  12. Gekidami

    Hold on, a 2007 database? I’m pretty sure all cards from that far back are dead by now. People would have gotten new ones.

    But hey, at least we can count on this sites journalistic integrity to inform us of that part, which is important, off the ba- Oh no wait, theres no mention of that in headline or the header. Its only brought up 3 paragraphs lower…

    Because “Old, useless CC numbers from 2007 stolen” isnt going get hits now, is it.

    #12 3 years ago
  13. Patrick Garratt

    I’ve added in a comment there about the main credit card database being kept separately from the one that was compromised.

    #13 3 years ago
  14. Patrick Garratt

    And I’ve edited the headline. The “hits” have now plummeted as a result, obviously.

    #14 3 years ago
  15. Blerk

    Places where I’m really glad I don’t work at the minute:

    1. Sony.

    #15 3 years ago
  16. Petulant Radish

    2. VG247

    As publishing an article on a blog always seems to be accompanied by scathing criticism these days!

    #16 3 years ago
  17. Mike

    I’ve still got the same CC number I had in 2007. Thank you for informing me of Sony’s continued negligence VG247. I will now take the necessary steps in order never to give such a untrustworthy company as Sony my personal details.

    #17 3 years ago
  18. GWint005

    #18 3 years ago
  19. Mike

    It says so in the press release. Which is printed.

    #19 3 years ago
  20. spiderLAW

    an interesting development indeed

    #20 3 years ago
  21. Johnny Cullen

    Added an update in there. Out of 12,700 non-US cards, only 900 remain active and usable today.

    #21 3 years ago
  22. Blerk

    Did they try them all? :-D

    #22 3 years ago
  23. spiderLAW

    hmmmm……not mine….i actively update my account and the last card i had on there is out of service at the moment….yay me.

    #23 3 years ago
  24. Kerplunk

    @17 Given the fact that you personally have published other people’s IP addresses on this site which is running out-of-date software (meaning that it is not as secure as it could be – by some considerable margin) I don’t think you’re especially well place to point your finger at ANYTHING and make remarks about security, negligence or trustworthiness.

    Stop your fud, you’re not convincing anyone.

    (Posted from some anonymous web proxy, so don’t even bother trying that puerile shit)

    #24 3 years ago
  25. OrbitMonkey

    @24 Well i’m sure Pat will feel very silly if the VG247 users credit card database is hacked…

    #25 3 years ago
  26. Patrick Garratt

    @25 – I live for the day I have a VG247 user credit card database, hacked or not.

    #26 3 years ago
  27. Mike

    Lol.

    That info was freely available to anyone.

    #27 3 years ago
  28. Kerplunk

    @24 My point was about gobsmackingly blatant hypocrisy on the topic of security as a whole. But, you know, argue semantics if it makes you feel better.

    Pat. Go into your WordPress Dashboard and read the announcements at the top. Upgrade your site and tell your web team to put some proper .htaccess controls in place to prevent snooping.

    And stop letting people with access to your site’s admin functions publish IP addresses. That’s just fucking stupid behaviour, seriously. Though it’s handy to raise it when the same nonce wants to talk about negligent security practices by others.

    Oh, and that information is only freely available to everyone once some pillock publishes it for all to see. That’s kind of why everyone’s IP address ISN’T shown publicly as standard. Jesus, you so-called security experts are pretty fucking clueless aren’t you? But, you know, good mature response to being called out on really stupid behaviour. Classy stuff.

    Why not have a chat with the guys at Gawker Media. :)

    #28 3 years ago
  29. Patrick Garratt

    Who’s published IP addresses? Sorry, I’m mental busy.

    #29 3 years ago
  30. Mike

    I think Kerplunk is taking all this rather too seriously.

    #30 3 years ago
  31. Kerplunk

    Well, there’s your answer Pat.

    As for taking things too seriously – can the topic of security ever be taken too seriously?

    It’s alarming that you can draw a hard line about security conducted by others but when your own lapse of security and wilful negligence is raised you’re keen to dismiss other’s concerns. Quite a convenient outlook.

    #31 3 years ago
  32. theevilaires

    Shatner banned but Mike still allowed to slither through the cracks…..how fucking unfair :(

    #32 3 years ago
  33. Patrick Garratt

    Has an admin actually published anyone’s IP address?

    #33 3 years ago
  34. Mike

    #31: My original post about not trusting Sony was tongue in cheek.

    Relax.

    #34 3 years ago
  35. ManuOtaku

    Now i Know what PSN stands for: Please Steal our Numbers 8D

    #35 3 years ago
  36. Kerplunk

    @33 In a topic on the VG247 forum, Mike (shown as “Keymaster” status) posted an IP address as part of a reply. I don’t recall the full details nor do I want to search and link to the discussion as doing so would only risk exposing that information all over again. I believe the discussion may have been centered on the legitimacy of user accounts / fake accounts. Whilst IP checking is a good way to investigate this, there is no need to publish IP addresses. Ever. Remember how upset Anonymous got about the prospect of IP addresses reaching a wider audience then they should? Exactly the same principle, except with far less justification.

    For what it’s worth, I commented on the post in the topic when I witnessed the behaviour.

    I don’t care what side of an argument you stand about someone’s identity. You just DON’T do that sort of thing. It was irresponsible when it was done and it looks a hundred times more irresponsible in the wake of the Gawker Media and PSN breaches that have happened recently. An admin who publishes another’s IP address has no right to be an admin, in my opinion.

    And there’s a world of difference between someone stealing another’s information from a third party and the the third party publicising that information of their own free will.

    @34 Given your own behaviour, you really aren’t in a very good position to be making any comments on the topic. Tongue in cheek or otherwise.

    #36 3 years ago
  37. Patrick Garratt

    @36 – You are, of course, right that IP addresses should never be published. I’m looking into it now.

    #37 3 years ago
  38. ManuOtaku

    As much as my comments and opinions tend to differ from the kerplunks ones on other topics, but in this case regarding the IP address leak of information in one topic of this site, i agree 100%, it was really wrong, it doenst matter the motive, was wrong

    #38 3 years ago
  39. Mike

    Since that site was upgraded, I was under the impression my status (if you want to call it that) as a “Key Master” was made redundant: could no longer Edit others’ posts, no longer ban a spammer’s IP address, no longer even delete my own posts.

    Because of this, I wrongly assumed that my Forum View was the same as everyone else’s: i.e. under everyone’s posts, there was Edit, Delete, and their IP.

    After someone was spamming the forum and had created a fake account in order to abuse another member I thought I’d run a http://www.who.is on the user using the information I thought that was freely available to everyone.

    However, I soon found out that although I had no “mod powers” the IP address of the poster was privileged information. I subsequently edited my post, (as I couldn’t delete it), thus removing any and all information regarding the IP-address that was posted.

    If I have caused offence, or discomfort in any way then I of course, sincerely apologise.

    Michael Bowden.

    #39 3 years ago
  40. OwningXylophone

    Why does nobody see the far more chilling problem here…

    Why the hell are Sony storing ‘outdtated’ data on their customers and treating it with less care and security than our ‘current’ data. This is entirely in breach of principle 5 of the Data Protection Act 1998, which states:-

    “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

    So if a single one of those records that were taken came from the UK expect the ICO to come down on them like a ton of bricks.

    #40 3 years ago
  41. Robo_1

    @39

    Now take a bow… a deep bow. ;)

    #41 3 years ago
  42. theevilaires

    @39 Not buying your euro bullshit. Everyone knows you are a biased cunt and you did it on purpose. You and O.G. privileges should be revoked immediately for passing out peoples personal information for your own and close friends(O’Connor)use.

    #42 3 years ago
  43. ManuOtaku

    #40 agree with you, sony should be praying for that not to happen

    #43 3 years ago
  44. Kerplunk

    @39 Your transparency is very much appreciated. Thank you.

    Pat / Mike, good work! :)

    Please also ensure that you take appropriate steps to add additional .htaccess security so that a clumsy monkey like me can’t rifle through your WordPress installation files (.htaccess should be a simple task for your web-guy to do) and also ensure your WordPress installation has all the security fixes by running the most up-to-date version (2-clicks from the WordPress Dashboard).

    I feel more secure already :)

    #44 3 years ago
  45. ManuOtaku

    #42 may i ask why O.G too? if i can recall right he didnt pass out any I.P on that very topic.

    #45 3 years ago
  46. OwningXylophone

    Sony have confirmed to GamesIndustry.biz that 900 of the 12700 cards whose details were stolen are still active.

    http://www.gamesindustry.biz/articles/2011-05-03-24-6-million-soe-accounts-potentially-compromised

    #46 3 years ago
  47. TheWulf

    One thing I will note is that the worst of this still isn’t over yet, there are still things that they think they might not need to admit to.

    I strongly recommend that old or new, anyone who’s used a card with any Sony service… renew it. Trust me or don’t, s’up to you, but it’s just not worth the risk.

    With an intrusion of this magnitude, it’s always worse than they assume, and it’s only a matter of time before they find out just how much information was siphoned away from them, and just how much of that information is usable.

    This isn’t a joke. Not even for you fanboys. Don’t take risks with this. :/

    #47 3 years ago
  48. theevilaires

    @45 He was revealing peoples IP address to O’Connor over XBOX LIVE. I’m sure he has even passed on certain peoples address to O’Connor so he can cross reference the same data on his site. I’ve always felt O.G.’s biased for M$ would lead to corruption when he became a mod. Even though I endorsed him to receive the privileges it was a test in disguise to reveal his true colors.

    http://www.vg247.com/forum/topic.php?id=4514

    Have a look through there. If he hasn’t already covered his tracks yet and deleted his comments. He openly tells O’Connor to meet him on XBOX LIVE after O’Connor cries and moans like a little bitch to find out who made the thread about him and who my impostor really was. Corruption is what follows when you give a XBOT too much power. Eventually they RROD themselves in the end.

    #48 3 years ago
  49. frostquake

    Your post made mine redundant..LOL..

    I would like OG to comment on that.

    Why even look up IP’s…I don’t understand that at all.

    Why can’t we all be way laid back here???

    #49 3 years ago
  50. Patrick Garratt

    Kerplunk – I’ll check with the tech chaps on that, yep. Thanks.

    #50 3 years ago
  51. OlderGamer

    Jesus Tea, what did I do now? Lemme read it and get caught up. Man the whole world that don’t see eye to eye with you is screwed ain’t it? brb, reading.

    #51 3 years ago
  52. frostquake

    Back on Topic..LOL…LA Times..is this Old or New?

    “Such a broad breach of consumer information is rare, because most companies take precautions to silo customer information, separating contact information from credit card data, for example, so that only parts of any customer’s profile can be accessed from a single attack.”

    http://latimesblogs.latimes.com/entertainmentnewsbuzz/2011/04/sony-admits-playstation-network-hacked-user-information-compromised-.html

    #52 3 years ago
  53. OlderGamer

    Ok I read through 5 pages of posts. For what?

    All I saw was one member of the site getting harrased.Poeple think so much of you Tea that when one of them tries to be you, they do so by being beligerant, foul mouthed, obnoxious, and start aiming personal attacks at other members.

    That post was just one in a flury of posts between you and Michael. But when you left the site(for one of your breaks), someone else created a fake account/handle and tried to pretend to be you. It was rude and uncalled for. But like I said taking just that post and isolating it is like taking the thread out of context.

    At that point Michael had had enough. You read him bitching at me for NOT posting the IPS right? I never posted anyones IPs, never would.

    And just for clearity, Tea did you just say above that I was corrupt because I play xbox360? I mean really? Thats pretty funny man. Better watch out for those Nintendo gamers, I hear them guys are bat shit crazy! They will mess ya up! Don’t look into their eyes!

    #53 3 years ago
  54. DGOJG

    Right I’m seriously confused now. There has been two hacks yes? Or is this just a delayed response from SOE? Some care to explain if I should be panicing?

    #54 3 years ago
  55. Gekidami

    ^ No, one hack, but Sony didnt think it affected SOE till recently.

    #55 3 years ago
  56. DGOJG

    @55 Thanks for clearing that up! Doubt they’d attack student accounts anyway :P

    #56 3 years ago
  57. frostquake

    @ DGOJG

    they did just take Station.com down monday..so I don’t know if you use the Station.com Hub to play games on your computer??

    #57 3 years ago
  58. DGOJG

    @ frostquake

    I never knew the site existed until today so no but thanks :)

    #58 3 years ago