Slashdot Mirror

← Back to Stories (view on slashdot.org)

77 Million Accounts Stolen From Playstation Network

Posted by CmdrTaco on from the oh-yeah-this'll-be-fine dept.

Runaway1956 was one of many users to continue to update us about the intrusion we've been following this week. "Sony is warning its millions of PlayStation Network users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts. Sony's stunning admission came six days after the PlayStation Network was taken down following what the company described as an 'external intrusion'. The stolen information may also include payment-card data, purchase history, billing addresses, and security answers used to change passwords, Sony said on Tuesday. The company plans to keep the hacked system offline for the time being, and to restore services gradually. The advisory also applies to users of Sony's related Qriocity network."

26 of 645 comments (clear)

  1. passwords? by jaymz666 · · Score: 5, Insightful

    Seriously? They were storing passwords in a way that could be unencrypted?

    1. Re:passwords? by 0123456 · · Score: 5, Insightful

      This seems like an amateur mistake. Who are these companies hiring lately?

      The lowest bidder?

    2. Re:passwords? by fuzzyfuzzyfungus · · Score: 5, Funny

      My DARE officer told me that hash is illegal, and my health teacher says that salt causes high blood pressure...

    3. Re:passwords? by marcansoft · · Score: 4, Interesting

      This seems like an amateur mistake.

      About as amateur as using a static constant instead of a random number when signing firmware and games, which is exactly what they did (and which pretty much cost them their entire system security).

    4. Re:passwords? by Kuukai · · Score: 5, Informative

      - If you wanted to play any of the games online, you had to have a PSN account. Which meant you had to provide a credit card whether you were ever going to buy anything or not.

      Wrong. This is not true at all. You can play games without ever providing a credit card. On the other hand, they do require your name, birthdate, and mailing address.

      --
      Sendou Wave Kick!!
    5. Re:passwords? by schnell · · Score: 4, Insightful

      As a previously happy PS3 user, I'm infuriated at their shoddy handling of this whole thing. The delay in notifying customers was inexcusable, and I still don't understand how passwords could have been compromised... I refuse to believe that even Sony would have stored them in plaintext. The only thing that makes sense to me is that they were stored in hashes but Sony is concerned that the hashed passwords are subject to brute force attacks. I spent a good chunk of last night changing all my online passwords that were the same as the one used in my PS3 account, and that meant dozens of accounts. (Thank goodness none of them were bank-related.) I guess that I should have moved to a system of unique passwords for each site before, and this finally forced me to do it.

      I am struggling to find a bright spot anywhere in this, but if I were to find one it would be that Sony must understand how badly they have pooched this situation. I would expect some serious mea culpas and free crap out of them (like free PlayStation Plus for a year or something) out of this. I don't know whether I actually want that, but it should be interesting to watch them grovel for my online trust and/or business back.

      --
      "95% of all Slashdot .sig quotes are incorrect or completely fabricated." -Benjamin Franklin
    6. Re:passwords? by gstoddart · · Score: 5, Insightful

      Wrong. This is not true at all. You can play games without ever providing a credit card. On the other hand, they do require your name, birthdate, and mailing address.

      And people wonder why so many on-line accounts are set up with completely bogus information.

      Why should I be providing all of this information to play *(&^%*&^ video games? This is precisely why I don't give most companies this information -- because I don't trust them with it. Not to keep it safe, not to use it as they say, and not to provide it to someone else.

      --
      Lost at C:>. Found at C.
    7. Re:passwords? by Spazmania · · Score: 4, Insightful

      Not only did I use a unique email address and password for my PSN account (not used for anything else), I gave intentionally dishonest answers to the secondary security question (and wrote them down), an intentionally dishonest DOB and the only purchases I made were made with a debit card I got as a gift.

      I feel like a genius.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    8. Re:passwords? by Tetsujin · · Score: 4, Informative

      As a previously happy PS3 user, I'm infuriated at their shoddy handling of this whole thing. The delay in notifying customers was inexcusable, and I still don't understand how passwords could have been compromised... I refuse to believe that even Sony would have stored them in plaintext.

      Even if you one-way cipher the passwords, getting access to the password database gives the attacker the ability to attack the database offline via brute-force attacks. (Attempting to brute-force without access to the database system would mean you'd have to do it via the login system - which wouldn't work so well if the login system is built to guard against brute force attacks, for instance by limiting the frequency of login attempts to a single account.) So if somebody gets the password database it's safest to assume they've got the passwords in it.

      --
      Bow-ties are cool.
    9. Re:passwords? by nschubach · · Score: 4, Informative

      Cancel? Just call up Visa and they give you a new card and number. No need to kill the account.

      --
      Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
    10. Re:passwords? by fuzzyfuzzyfungus · · Score: 4, Funny

      Are you implying that wasting time on slashdot is abnormal behavior for a fungus? The haploid glomeromycetes that fused to form my zygospore were always hassling me about it: "Are you going to sit there reproducing asexually in front of the computer like some pathetic diploid man-child all your life? Why don't you grow a fruiting body, and make something of yourself?"

  2. Sony isn't using the term "massive identity theft" by elrous0 · · Score: 5, Funny

    They're calling it an "unexpected mass friendship opportunity."

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  3. Unencrypted = Stupid by Bloodwine77 · · Score: 4, Informative

    It amazes me that a company as large and established as Sony would make such a boneheaded move as storing sensitive information in plaintext. Passwords and answers to secret questions should always be hashed. Credit card information and other sensitive information should be encrypted (preferably AES-256 or stronger).

    1. Re:Unencrypted = Stupid by drinkypoo · · Score: 4, Interesting

      We need laws for this crap now. Someone doesn't even try to use adequate obfuscation, they are accessories. Specifically, for protection of SSNs (yes I know the fact that they are good for so much is stupid, but we live in reality) and credit card numbers, and anything else equivalent.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Unencrypted = Stupid by 0123456 · · Score: 4, Insightful

      Why are you surprised that big companies would do stupid things? Particularly one who thought that installing rootkits on peoples' computers when they played a CD was a pretty darn cool idea?

    3. Re:Unencrypted = Stupid by Anonymous Coward · · Score: 5, Informative

      Yes, I trust Congress to make laws that will cause secure implementations to be made.

      Remember, these are the guys who can't make a tax code that requires companies to actually pay _any_ tax on billions of dollars' of income.

  4. Credit card numbers WERE taken too by Anonymous Coward · · Score: 5, Informative

    I posted this in the last thread, but PSN users are already seeing their credit cards being fraudulently used!

    So if you're affected, CANCEL YOUR CARD!

    It's not a possibility anymore, it's a certainty.

  5. Leaving PSN Down by TheNinjaroach · · Score: 4, Interesting

    I think the fact Sony has left the PSN in a completely disabled state for the past week could hint at some internal problems with disaster recovery. Their servers have been compromised and can no longer be trusted. In my world, that's a perfect time to re-build your systems from a pristine backup. So why doesn't Sony patch the vulnerability and deploy new servers? Perhaps it's because they don't have any good backups to restore from..

    --
    I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
    1. Re:Leaving PSN Down by Bobfrankly1 · · Score: 4, Informative

      I think the fact Sony has left the PSN in a completely disabled state for the past week could hint at some internal problems with not knowing what the hell they're doing in the first place. Their servers have been compromised and can no longer be trusted. In my world, that's a perfect time to re-build your systems from a pristine backup. So why doesn't Sony patch the vulnerability and deploy new servers? Perhaps it's because they don't have a clue what the vulnerability is...

      FTFY.
      Sony said it has temporarily shut down the PlayStation Network and Qriocity services and hired an outside security firm “to conduct a full and complete investigation into what happened,” but refused to offer details on the hack.

  6. Fallout by Canth7 · · Score: 5, Insightful

    More interesting to me than how the intrusion occurred or how lax Sony's security practices are will be what the public backlash level is like. IT security departments tend to whip up a frenzy with the potential for "end of the company" concerns for data breaches on a regular basis. However, reality is that data loss doesn't always seem to have a particularly negative effect for the company that loses the information. Point in example would be the TJX data loss - http://it.slashdot.org/story/07/03/29/1618239/TJX-Is-Biggest-Data-Breach-Ever. Somehow this hardly seems to have put a dent in corporate profits. TJX's stock is up 100% since 2006 when the breach occurred. http://www.google.com/finance?q=tjx Point being is, if nothing seriously negative happens to Sony then it's no wonder that firms continue to have poor security practices. After all, why bother spending the effort and money to secure data when there is no return on the investment?

    1. Re:Fallout by X.25 · · Score: 5, Interesting

      TJX's stock is up 100% since 2006 when the breach occurred. http://www.google.com/finance?q=tjx Point being is, if nothing seriously negative happens to Sony then it's no wonder that firms continue to have poor security practices. After all, why bother spending the effort and money to secure data when there is no return on the investment?

      Many years ago, I was in a meeting with heads of a bank, discussing their need for penetration testing, auditing, etc.

      So, after all that talk, one guy simply asks:

      "Why would we spend dozens and hundreds of thousands of dollars on security services/products/staff, when it costs us 200 dollars to issue few press releases that claim how no valuable data was lost, and everything will be just fine?"

      I had no answer to this.

      That's why in 2011. we are witnessing things like this.

      That's why in 2011, Sony will still be determined to be PCI/DSS compliant, although they probably don't satisfy 50%-70% of requirements.

      It's because they don't give a fuck and don't care. There is nothing you/we can do to them, they are on the top of the food chain.

      Because humans are greedy, like flashy toys and are too blind to see what's happening in front of their eyes.

      Oh well, back to work :)

  7. undivided attention of Anonymous by fhage · · Score: 4, Insightful

    I wonder if Sony regrets waving the red flag. http://news.cnet.com/8301-13506_3-20050310-17.html. Anybody heard from geohotz in the last few days?

  8. Might not be bad... by Junta · · Score: 4, Interesting

    There are two schools of thought here...

    If the passsword is stored as a hash on the server, then it is more resistant to attacks against the storage of the server. However, this does require the password be transmitted over the wire in one way or another on every connection. A man-in-the-middle attack with ip spoofing or dns cache poisioning has a non-trivial shot at compromising the password.

    If the password is stored 'in the clear' on the server side and treat the password as a shared secret, then *if* you design the authentication right, you render man in the middle infeasible with the tradeoff of storage attack being a large exposure. A common scheme is to have client have a packet, concatenate with the password, calculate hash, then strip password before transmit. Server then repeats calculation and only accepts payload if secret matches. Usually, server responses are protected the same way, meaning only the server you *meant* to talk to can meaningfully respond because it needs your password to calculate correct hash responses.

    All that said, it's also entirely likely that Sony has crypted hash passwords, but it's safer to say 'your password is compromised', because of how many users have passwords like 'yourmom65' rendering the hashing pointless.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  9. Re:Firmware by fuzzyfuzzyfungus · · Score: 5, Insightful

    Never. Trust. The. Client.

    If their online systems' security depends on all clients playing by a specific set of rules, it is Broken.(even barring custom firmware, PS3s communicate over the internet via reasonably normal protocols, so it isn't as though the public-facing infrastructure was ever invisible to PCs running whatever people wanted them to run).

    Especially for something as large and potentially valuable as 77 million accounts, many with cards on file, there would just be no way that you could make the client secure enough to serve as a trusted part of your security system: your pirate will give up if you can't flash a firmware in software or do a relatively simple mod-chip install. A more serious hacker might be willing do dump some ROMs, if possible, maybe snoop bus traces if they can get to them, install mod chips that require SMT skills, etc. For 77 million accounts, though, you have to consider the possibility that somebody would commission a serious forensic teardown of your system, decapping, microscopes, and the lot.

  10. Makes you wonder... by Junta · · Score: 4, Insightful

    In a world with plenty of well understood crypto schemes like public-private key systems where you can prove yourself without a shared secret... why the hell do we trust so much of our wealth with a trivial to see/copy account number being tossed around like crazy?

    --
    XML is like violence. If it doesn't solve the problem, use more.
  11. That's it? "Sorry"? by X.25 · · Score: 5, Insightful

    So, you peek into PS3 internals, you get slapped with lawsuits, police raids your home and they send army of lawyers after everyone.

    Someone steals 77m accounts from Sony, all they have to say is basically...

    Sorry?

    Fuck you Sony.