Sections

93,000 accounts compromised in Sony Network attack

Wednesday, 12th October 2011 03:45 GMT By Brenna Hillier

Sony has detected a seemingly large scale hack attempt on the PlayStation Network among other services, and warned users to secure their log-in details.

In a post on the EU PS Blog, chief information security officer Philip Reitinger said Sony had detected attempts to check “a massive set of sign-in IDs and passwords” against its networks but that “less than one tenth of one percent” of users had been affected.

“There were approximately 93,000 accounts globally (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts’ valid sign-in IDs and passwords, and we have temporarily locked these accounts,” he revealed.

Luckily, “only a small fraction of these 93,000 accounts showed additional activity prior to being locked” and Reitinger said credit card details were not compromised.

“We will work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet,” Reitinger promised.

Sony is issuing password resets to compromised accounts, and affected SOE accounts have been temporarily disabled.

Reitinger believes the combinations being tested have been sourced from another company’s compromised database rather than from the PSN, Sony Online Entertainment, or other Sony networks.

“The overwhelming majority of the pairs resulted in failed matching attempts,” Reitinger assured readers. “We have taken steps to mitigate the activity.”

“We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites.

“We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account,” the security chief concluded.

Sony came under severe criticism following an April attack on the PlayStation Network, which saw the service brought down for two months and the compromise of millions of user accounts – including credit card details.

Thanks, Kotaku.

Latest

50 Comments

  1. Ireland Michael

    Jesus H. Christ.

    Here we go again…

    #1 3 years ago
  2. donky

    I read Kotaku article and it never said all what you said. I did not know that Compromise of credit card. what a bunch off crap.. make stuff up now..

    #2 3 years ago
  3. Brenna Hillier

    @2 … really? The source of the information is the EU PS Blog post linked in the second paragraph.

    And, you’ll note, “credit card details were not compromised”.

    #3 3 years ago
  4. Ireland Michael

    @2 Umm… Brenna’s post said that credit card details weren’t compromised. And this was stated on the EU blog, so I’m not sure what you’re on about her “making stuff up”.

    Here’s the quote. “Please note, if you have a credit card associated with your account, your credit card number is not at risk. We will work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet.”

    Everything Brenna just wrote was covered in the original EU PlayStation Blog post.

    #4 3 years ago
  5. JimFear-666

    MORE FREE GAMES!!!!!!!!!! :D

    #5 3 years ago
  6. Christopher Jack

    Hackers… Sometimes we’d be much better off if they just fucking left things alone, especially when it compromises security, it’s mostly about proving who has the largest E-Peen, & money, they make money of private info, selling it to corrupt companies.

    #6 3 years ago
  7. jacobvandy

    THIS WASN’T HACKING. They were effectively guessing passwords, being in possession of a load of account login details FROM OTHER SOURCES and trying to use them to sign on to PSN. “Oh my gawd, I’ve been hacked! They found my password written down on a sticky note behind my desk!” That’s not the meaning of the word…

    #7 3 years ago
  8. Bannan

    @Ireland Michael Guess he’s refering to this: “…April attack on the PlayStation Network, which saw the service brought down for two months and the compromise of millions of user accounts – including credit card details.” – Which is pretty much bullshit. It has been confirmed multiple times that the April hacker never got near any credit card info.

    #8 3 years ago
  9. Christopher Jack

    @7, Either directly responsible or not, the original source spawns from hackers stealing loads of information from some database, whether they themselves or others using their work done this is irrelevant.

    #9 3 years ago
  10. TheWulf

    What Mr. Jack isn’t telling you (what he never tells you, because he hopes that you’re too ignorant to figure this out for yourself) is that if companies actually cared about security and secured their shit better, then we wouldn’t have this problem.

    No, there has been no “hacking,” and no one has been “hacked.”

    What we have had is a bunch of script kiddies using the most hilariously simple vectors of attack, like SQL injection methods, and actually coming up trumps. Why? The megacorp in question believes that no one would actually try to attack them, so they never bother to confirm the strength of their own security.

    Here is a fact: They have a responsibility to take better care of your details. But most of them? They don’t give a shit. Sony didn’t give a flying hog’s arse until a bunch of script kiddies busted them wide open, and now they give a shit.

    So, just be careful whom you share your details with, and if they have a track record of being “hacked,” then I’d be very wary of doing business with them in the future, and sharing your details in the process.

    THAT SAID.

    There was no hacking involved here, and Sony has not dropped the ball this time. What’s happened is as someone said. Script kiddies have grabbed a database from somewhere and then dumped that info to the Internet, and now you have fraudsters trying out those details across various networks. It’s not just going to be PSN, but it’ll be PayPal and a bunch of others.

    Be careful.

    Change your passwords often.

    Be wary of whom you trust.

    Okay? Good.

    #10 3 years ago
  11. KAP

    Im getting sick and tired of this shit now. I honestly felt sorry for Sony but now I’m plain annoyed now.. They need to sort there shit out!

    #11 3 years ago
  12. freedoms_stain

    @11, why are you laying this at Sony’s door?

    Someone acquired details indirectly of Sony and attempted to log in via them.

    It’s probably some forum or other social site that stores profile details like game account names, the “hackers” (who may not have hacked anything – they may have bought details from some crooked web master) then attempt to use the PSN sign in with the password associated with the forum account, and only the dumbasses foolish enough to use the same password for everything get stung.

    #12 3 years ago
  13. Blerk

    Oh my.

    #13 3 years ago
  14. Christopher Jack

    @10, Where am I trying to defend any company for lack of security? There are no excuses when it comes to security. I’m just saying that some hacker stole these details from somewhere, I never even said that those who stole the details were directly responsible, chances are that they sold the stolen info, or simply posted the database somewhere.

    I do think putting the entire blame on the victim is pretty ignorant, you wouldn’t blame someone for getting stabbed by a mugger because they were unprepared, the criminal is entirely to blame in that situation, as is the criminal in this situation. Difference is that the victim in this situation should be prepared & should be held responsible for protecting others information, but my point is the perpetrator(s) shouldn’t get a free ride because the victim was ignorant.

    #14 3 years ago
  15. MegaGeek1

    I dont really care to know the intimate details of “who” is doing “what”, how they are doing it, and if they are hackers or not. I would simply like these people to get a life and piss the fuck off.

    #15 3 years ago
  16. Talyis

    WOW people that blame Sony are complete moroons! I hear this crap all the time that Sony should have been better prepared well if your that stupid just keep your mouth shut, I hope you numb skulls know that any company can get hacked at any time no matter the level of security. I mean hell the Pentagon get’s hacked are you guys are bitching saying Sony doesn’t have enough security, no company will be secure enough to prevent hackers none!

    Hackers are smart they can get around anything when they try hard enough, I honestly hate hackers now I used to support them but recently they have gone overboard with there harassment of gamers! I actually used to thinks hackers were just a bunch of hardcore gamers modding and bypassing games to create there own stuff, well I mean hackers from the gaming community but obviously they don’t give a shit about any other gamers or our privacy! You will get exactly what you deserve! Go to hell and for you dumbasses blaming Sony go to hell too, your obviously too moronic to understand what the real problem is!

    #16 3 years ago
  17. Stoopid_Snot

    Can’t they go and try 2 hack somebody else for a change now… I don’t know… Lego maybe?

    #17 3 years ago
  18. daytripper

    go to hell? fuck sake you would think they were bullying your son or daughter at school or something.

    #18 3 years ago
  19. Yoshi

    At least they’ve caught it early and automatically lock the accounts :)

    #19 3 years ago
  20. Joe Musashi

    Man acquires a bunch of unbranded house-keys from another man in a bar

    Man goes around the neighborhood randomly trying keys in locks

    People in neighborhood angry at estate agents for allowing this to happen.

    :-\

    JM

    #20 3 years ago
  21. pleasant_cabbage

    Did ‘Man in bar’ acquire this bunch of keys from aforementioned estate agents?
    /readies pitchfork

    #21 3 years ago
  22. Anders

    This is getting ridiculous. More free games then?

    #22 3 years ago
  23. DSB

    Looks to me like one of the clearest case studies between a prepared network and an unprepared one. Sony past and Sony present.

    Prepared one loses less than 1 percent, unprepared one loses absolutely everything.

    @20 Flawed analogy is flawed.

    Vulnerable networks get killed. End of story. Which is quite clearly demonstrated in this case. After Sony get their asses handed to them, they suddenly start paying attention, and the following attack gets virtually bupkiss.

    @16 No grip on reality

    @ChrisJack Again the analogy is entirely off the charts. Nobody has blamed Sony for being attacked, they’ve blamed them for losing their personal details. It has no bearing on violent crime, but quite simply on a company that demands sensitive information from its users, and as such carries a sovereign responsibility to adequately protect it.

    In this case, I think it looks like they succeeded in doing so. I don’t know the details, but at least I’d expect them not to be caught off guard a second time.

    #23 3 years ago
  24. The Evil Pope

    The whole network is a disaster. Sony need to go back to the drawing board. PSN has nothing on XBL.

    #24 3 years ago
  25. OrbitMonkey

    XBL has nothing on Steam ;)

    #25 3 years ago
  26. viralshag

    Or in the literal sense Steam has nothing on XBL.

    #26 3 years ago
  27. daytripper

    steam is awesome, from what i’ve seen (current non pc gamer)

    #27 3 years ago
  28. OlderGamer

    *Sigh.

    And I have been playing more PS3 this past month then ever before.

    Dungeon Hunter Alliance is the best game I have played in years, imo.

    Oh well use points cards, keep personal info off of the network where possible, move on.

    Whatelse can be done? Either that or live under a rock. Too many online and digital services to avoid this sort of thing. Tho it would seem Sony should be doing all they can to keep this stuff from happening, maybe they are, but it doesn’t seem to be working.

    #28 3 years ago
  29. OrbitMonkey

    ^ Er, you mean it is working? Poor Sony, they stop a attack & get slated for being honest about It.

    #29 3 years ago
  30. Joe Musashi

    Analogy is right on the money actually. :) Take off blinkers to see it properly.

    @29 Indeed. If Sony don’t give out details people complain that they should have given details and given them sooner. When Sony do what people ask they just go and hit them around the head with a different stick.

    Always the same people too doing the complaining. Funny coincidence that one.

    JM

    #30 3 years ago
  31. DSB

    @30 Seems like the blinkers are entirely yours.

    Nobody gave anybody a key, and nobody’s blaming anyone who isn’t directly responsible for keeping a certain standard of security. Since they demand that information from their users, Sony are directly responsible for keeping that information safe, and keeping their networks secure.

    If someone builds a shitty door to their home, and someone breaks that door down, their premium is going to go way up once the insurers find out, because that’s their fuck-up, for not being responsible. That’s the adequate analogy.

    Burglars don’t go for hard targets, they go for the easy ones, because they don’t like to work for a living, and they don’t like to risk anything. In this case Sony were actually awake and seemingly managed to stop the attack. This probably happened in seconds, with Sony reacting immediately.

    Last time they let hackers have their way with their network for at least 48 hours after an attack was detected, by their own testimony. All they had to do was pull the plug, even physically if neccesary, but for at least 48 hours they didn’t. Notch of Minecraft pulled the plug within a minute of his servers being attacked.

    The difference is striking.

    #31 3 years ago
  32. G1GAHURTZ

    Oh no, not this again!

    #32 3 years ago
  33. Joe Musashi

    Looks like someone hasn’t grasped what’s actually going on, who is doing it, how it came about and how it’s been handled. Just gone about laying blame and pointing fingers. Isn’t the first time, won’t be the last.

    JM

    #33 3 years ago
  34. DSB

    @33 Well that conveniently explains everything by offering absolutely nothing but blind faith in company who, quite obviously to everyone with even the slightest notion of what’s going on, is responsible for one of the most spectacular failures in protecting their networks in recorded history.

    As far as I can tell, the nearest contender is Mastercard, who even then only lost 5 million accounts.

    Personally I like to view and accept the facts as they appear, and base my opinions on that.

    #34 3 years ago
  35. NightCrawler1970

    Wow, well Sony have the cops on there side, they gonna trace hackers arrss… and yes more free games then

    #35 3 years ago
  36. Christopher Jack

    Why are people expecting free games? A few people may have had their account hacked into using information gathered from elsewhere, happens all the time on both XBL & PSN, difference being the scale of the hacks but more importantly, where did they get their info from?

    Obviously it’s outdated, most likely from before the PSN hack, I’m going to assume that all those who were hacked kept the same password as before. Alternatively, those who were successfully hacked may share their password with what ever it was that these hackers got their details from, email account for an unlikely example.

    People seem to be confused of the differences between an entire network being hacked & a bunch of account being hacked, DSB for example seems to think that this is just like the PSN attack, where Sony was held responsible for not having sufficient protection, this is COMPLETELY different, unless it’s actually the details gathered from the PSN attack that was used for these account hacks, but that’s just speculation.

    #36 3 years ago
  37. GameModo

    Sony is in the spotlight yet again over a security breach. http://www.game-modo.com/2011/10/playstation-network-in-spotlight-again.html

    #37 3 years ago
  38. freedoms_stain

    Fucking hell, the number of people who can’t read past a headline on this site is Fucking mind bending.

    Why the complaints? Why the doom and gloom? Sony’s network security is now so Fucking good it’s detecting mass login attempts and shutting them down quickly AND bring honest about it. The headline should be “Improved PSN security foils a attempted account thieves” not scare mongering.

    #38 3 years ago
  39. DSB

    @36 Well, like you quite accurately point out, what Sony themselves are saying is that they have no idea as to how the information has been attained. I’m thinking the exact same thing you are, especially given that a large number of the accounts have been inactive.

    I also don’t see myself saying, anywhere, that Sonys protection would seem to be any less than adequate. This could indeed happen to any company, and has in the past, as opposed to the former breach.

    The worlds most extensive loss of personal data as a result of network breach, in spite of what all the apologists and fanboys would like to believe, isn’t something that “just happens” to “everybody”, “whenever hackers want it to”. It’s quite arguably an extraordinary case, without equal in history, and one that should provoke reflection that goes a bit deeper, than simply “I love Sony, they’re so great, and could never fail me”.

    #39 3 years ago
  40. OrbitMonkey

    @38 +1

    #40 3 years ago
  41. dr_lovejoy

    @DSB Sony hasn’t been hacked you numpty so stop talking bull, otherwise the success rate would be a lot higher. What is happening is a group have got a bunch of login information from a different site and are trying to use the same info on PSN. For most people this isn’t a problem however some use the same email/username and password for multiple sites. This makes it extremely easy to hack into accounts. Happened to me on Hotmail years ago, luckily the Hotmail account was just one I use for spam. It is also something that happens everyday even with xbox, play, amazon and every other site.
    For example if you use the same email and password for both VG247 & PSN, and VG247 got hacked or supplied that info (for a profit like some sites do). The hackers would be able to access your PSN account with ease.
    Sony in this case have actually done something no other company does, I can bet you Microsoft wouldn’t care if someone logged into your account with details obtained elsewhere. And before you call me a Sony fanboy I actually play Xbox more. Difference is I can read and not troll sites.

    PS before you say it was from the previous hack you’re wrong. You had to change the password to something different for the account to be active.

    #41 3 years ago
  42. dr_lovejoy

    Another way for people to get access to psn with ease is to use a third party PSN app, like the ones on Android. Or any site that requires you to enter PSN details for trophies etc. Same goes for Xbox Live.

    #42 3 years ago
  43. DSB

    Good post lovejoy.

    I wasn’t aware that it wasn’t a direct attack when I wrote the first post, but essentially what they’re saying is that they have no idea where the information came from. Are people permanently barred from using their old passwords? The press release clearly states that most of the accounts were inactive, which would certainly point to old information.

    And to be fair, the fact that Microsoft doesn’t do something hardly means that it isn’t perfectly standard practice everywhere else. I don’t imagine that this sort of attack would in any way be hard to detect.

    #43 3 years ago
  44. JackTheLittle

    whats really your point by putting such headline?
    it could’ve been more clear :|

    #44 3 years ago
  45. sg1974

    So much wrong with this article it’s hard to know where to start. Sony stopped attempts to access accounts and you (and it has to be fair, many others) want to suggest 93,000 accounts have been hacked.

    But I have to call you on one absolute bullshit statement, Brenna:

    “Sony came under severe criticism following an April attack on the PlayStation Network, which saw the service brought down for two months and the compromise of millions of user accounts – including credit card details.”

    Sony confirmed a long time ago that the April attack compromised not one single credit card. So why repeat falsehoods started and perpetuated by uninformed trolls?

    #45 3 years ago
  46. DSB

    @45 Thing is, you don’t need to lose the credit card info, for credit cards to be compromised. A password and an e-mail address match is enough to get it, with the Gawker breach being case and point.

    At best the only thing stopping you is going to be a personal question. That’s not even advanced identity theft, that’s as easy as spying on your girlfriend.

    They didn’t lose the cards themselves, and the people who use different passwords for different services will probably have been okay, but simply because nobody bothers to do some actual journalism and find the people who were stolen from as a result, it certainly doesn’t meant it didn’t happen.

    #46 3 years ago
  47. sg1974

    When the article is amended to say “it is possible that some credit cards accounts might have been compromised if PSN users had used the same password on their credit card account but there is no evidence this ever occurred” then I’ll shut up.

    #47 3 years ago
  48. DSB

    Absolutely fair. It’s not accurate.

    #48 3 years ago
  49. NightCrawler1970

    @36, if it takes another 1,5 month YAAAAA!!!!!!
    That tells me that SONY DONT GIVE A FUCK with costumers
    http://absolutelytrue.com/wp-content/uploads/2010/05/give-a-fuck-o-meter.gif
    @38, they better comes out and telling the world that Sony is raped again, don’t even try to cover-up again, and comes with excuses specially within 24 hours and not 1,5 week….

    #49 3 years ago
  50. Lihp1

    Phil Reitinger is SUCH an ASSHOLE! This guy is a classic Washington, D.C. policy wonk. He didn’t have a THING to do with the discovery of this latest breach, much less actually dealing with it. Rumor has it here’s a new guy at PSN who both found and fixed the problem. But do you think “Mr. Policy” would give him any credit for it? FUCK NO! That’s not the way they played in D.C.; why would he play honestly at Sony?

    It’s obvious that Sony only hired this chump to appease their “legal beagles” and put perfume on a pig. Sony’s RIFE with security problems. But Reitinger couldn’t find his ass with both hands. Maybe the new guy can help clean up the mess that is PSN … if they can keep him around long enough to do it. But if ham-fisted Phuckwad Phil keeps up his usual “do none of the work and take all of the credit” game, anybody with any real intelligence still left at Sony is gonna blow out of there soon.

    #50 3 years ago

Comments are now closed on this article.