Slashdot Mirror
Sony Breach Gets Worse: 24.6 Million Compromised Accounts At SOE
An anonymous reader writes with an update to yesterday morning's news that Sony Online Entertainment's game service was taken offline to investigate a potential data breach related to the PSN intrusion. SOE has now said that they too suffered a major theft of user data.
"... personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain."
Is it that they are so unprepared that they didn't know it until today, or were so diabolic that they didn't tell anyone yet? Just feeling great for not having ANY money on the net.
This is what happens when someone manages to jump the fence of your "walled garden".
Seven puppies were harmed during the making of this post.
They are just pissed that somebody stole a lot of personal data, and took over a bunch of computer systems, and it wasn't them.
Hey guys, let's keep around credit/debit card billing data from 2007 all online. Deleting it after 6 months of inactivity could hurt sales!11! There's no cost to keeping it around, nothing that would pass an accountant anyway. Let's pay ourselves a bonus for our forward thinking.
I haven't played everquest since 2002 and I got a notice. Luckily for me all that credit card information is outdated and wrong. Event the mailing address is wrong. How someone was able to access this data is beyond me. I cannot, for any reason, think of any justification Sony could have to store something in a manner that a developer could access at this level.
Sony is going to have one hell of a class action lawsuit in it's hands.
At this point, I'm almost surprised the password wasn't stored in plain text. Then again, given the magnitude of the breach, I'm betting on it not being very hard to break the hashed password.
Fear is the mind killer.
If the person who stole the SOE accounts could get in contact with me, I've been trying to reset my SOE password for 2 months now, and it hasn't worked. Could you tell me what my password is?
Moral of the story is to not piss of a very capable hacker community buy going after their heroes.
It the way of the future!
It is getting harder and harder to read Slashdot. It seems like all the posts have to use their favorite abbreviations. Maybe I am biased, but please only use stocker tickers as corporate abbreviations or something that is immediately clear. From the context, I still had to go look up what SOE was.
Too many people on /. (-- an appropriate use or abbreviation) are beginning to think TTROO (That They aRe the Only Ones -- a bad use or abbreviation).
I've been on this site for a very long time, and it sucks I have to google shit like this, even though I work in high-frequency trading and can even understand abbreviations in my spaghetti-o's. I can usually guess it, but I still have to Google crap list this to be sure.
Terrible writing style. Will the couple extra character really kill you, editors?
Sorry "editor" implies some sort of caring for your work. I know you know click Accepr/Reject like a blind monkey.
Subject:Important Customer Notification
Customer Service Notification
May 2, 2011
Dear Valued Sony Online Entertainment Customer:
Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password. Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained and we will be notifying each of those customers promptly.
There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.
We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible. We apologize for the inconvenience caused by the attack and as a result, we have:
1. Temporarily turned off all SOE game services;
2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3. Quickly taken steps to enhance security and strengthen our network infrastructure to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When SOEâ's services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your Station or SOE game account name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
# U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.
# We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a "fraud alert" on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, pl
At what point does the government just pass a law that collects a fee if you hold CC data on a server, and give everyone free credit monitoring. This incident alone represents nearly 1/10th of the USA population. Add in TJ Max, and a few others, and I am willing to be damn near everyone has had a card number stolen by now. I would put up my pay check to bet it will be certain in 10 years.
Everyone was too pissed off at Sony to stop and think for a second: MAYBE the reason behind the removal of "Other OS" and the gross over-reaction to GeoHot is because Sony realized that their entire operation had more holes than swiss cheese? It had very little to do with being control freaks or preventing homebrew: perhaps Sony has all this time been living with a faulty-by-design network and even "Other OS" could have exposed it?
I received an email from Sony Online Entertainment this morning for some reason. I have never given them my information for anything. Now I'm nervous.
I object to power without constructive purpose. --Spock
First of all, you need to remember who's running this country, and it's not us. It's big corporations like Sony. They can essentially screw of all of us with impunity and if they go to far, the government gives them a slap on the wrist as a show of good faith to the people.
Consider the SEC. When they fine some trading company $20million for some illegal trading activities, do you really think that's a big deal? Of course not because they company made $100 or $200 million doing the illegal trade. To them, the fine is a cost of doing business. It's the kickback to their partner in crime, the government.
You're not going to get much out of Sony. And the government won't force much out of Sony. You have only one way of controlling this issue, and that's to vote with your wallet and stop buying *anything* connected to Sony. That means even carefully picking what movies you see this summer.
Only if Sony was to suffer considerable losses by people abandoning them en masse would they ever get the hint. But as long as they are profitable, they can continue to screw their customers, because their customers keep buying their shit. It's like you WANT to be tortured.
If telephones are outlawed, then only outlaws will have telephones.
Amazing how you could quit SWG out of post NGE Disgust and still get nailed.
should probably become the norm, not only after a fraud attempt is noticed/reported.
To-do List: Receive telemarketing call during a tornado warning. Check.
So, when are all you losers going to wake up?
Sony just wanted your money, they don't give a crap about you, your rights to privacy, or even making an attempt at keeping your data secure.
If you purchased a Sony product in such a way that they've got your credit card number, you're at risk, and it doesn't seem to matter since when; since the beginning of Sony on the Internet. Hopefully, those of you using Sony Online since the days of the Playstation (one), only have expired credit cards to worry about, but anyone who has used Sony recently is at more risk.
Throw out your Playstation 3. NEVER AGAIN purchase a Sony Product, do not buy their records, do not watch their movies, do not buy their headphones, MP3 players, e-book readers, or any of their other trash.
YOU MUST SEND A MESSAGE: I suggest even writing to Sony if you're their customer and TELL THEM that you are boycotting their products and you are advising your family and friends to do the same.
You *can* live without their crap. Surprisingly, there's a world out there. With trees, grass, flowers, and girls. Put down the controller, sir, and step away from the TV.
If telephones are outlawed, then only outlaws will have telephones.
I love the way corporations do this, just wait for a big news story (Osama's dead) and then start releasing the full extent of the disaster. The same principle worked for the cigarette companies. They were set to be torn apart of lying about the dangers of smoking and genetic modification to increase addiction, then along came 9/11 and all was forgetting. All you got to do is stonewall until a bigger problem comes along.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
I haven't bought anything from Sony since 1981 when I bought one of their XR-25 car stereos and it turned out to be a piece of crap.
And even after this latest fiasco, my give-a-fuck meter is still pegged on zero.
Fuck you Sony!
How did the hackers obtain passwords? Were they snooping as people were logging in to PSN? I sure hope PSN doesn't store passwords that can be reversed (or worse, plain text!). I guess the main concern is they can brute-force attack at their leisure the passwords they stole...
So if I bought a Sony Blu-Ray player a while back, and had to create an account on their site to "access" the device, it appears that account I created has been compromised.
We play the game with the bravery of being out of range
Sony's method of protecting private data!
http://www.vgcats.com/comics/?strip_id=302
You must master your joystick like a fisherman masters bait! - Gimpy
This will only get worse unless everyone who has done any business with Sony changes their passwords to all other accounts.
Each account to each website must have a unique password. Password re-use is what hackers depend on to leverage their attacks.
This can and will only get worse until users compartmentalize. One unique password per account always.
I keep hearing about intrusions that result in data theft, including credit card numbers, etc. Can someone tell me why on earth this information is being stored as plain-text and not as encrypted files? Unless of course the data is encrypted and the passphrases are stored in open-text files with a filename of "password_to_our_files.txt"
This is so delicious. Serves you right weasels.
open sourcing their customer data. What's wrong with giving back to the community?
While I take no pleasure in the fact that people's financial data has been compromised, my intense dislike of Sony and its business practices is severely inhibiting my ability to wipe an evil little grin off my face.
Chas - The one, the only.
THANK GOD!!!
Really? Then why haven't we seen any massive credit card fraud yet? Sony is claiming at over 10 million CC numbers were "stolen" and that was from a hack done more than 2 weeks ago.
If these were career criminals, why haven't we yet seen the horror stories of millions of dollars of goods shipped to Romania, with average joes holding the bag on the bill?
And why target Sony? Amazon would have far more data, as well as Facebook. Or, hack Microsoft's Xbox network which has more users in the USA. Why wasn't Nintendo targeted?
And if you're going to say that the perpetrators somehow knew that Sony's security was weak, then you're pointing to an inside job.
Sony appears to have been targeted because they are a bunch of douches. And judging by the low level of fraud so far, I'd say that the hackers are showing some restraint about harming the average joe while doing massive damage to Sony's image.
That doesn't sound career criminal to me, that sounds like vengeance from the user community after "Other OS" was removed.
Notice how the PS3 ads are off TV? They need to change their slogan to "It only does nothing".
If telephones are outlawed, then only outlaws will have telephones.
So, when are all you losers going to wake up?
Corporate America just wanted your money, they don't give a crap about you, your rights to privacy, or even making an attempt at keeping your data secure.
If you purchased an American product in such a way that they've got your credit card number, you're at risk, and it doesn't seem to matter since when; since the beginning of the credit card. Hopefully, those of you using goods and services since the 1960s, only have expired credit cards to worry about, but anyone who has used credit cards recently is at more risk.
Throw out your modern toys. NEVER AGAIN purchase any products, do not buy their records, do not watch their movies, do not buy their headphones, MP3 players, e-book readers, or any of their other trash.
YOU MUST SEND A MESSAGE: I suggest even writing to the President of the United States if you're their customer and TELL THEM that you are boycotting their products and you are advising your family and friends to do the same.
You *can* live without their crap. Surprisingly, there's a world out there. With trees, grass, flowers, and girls. Put down the controller, sir, and step away from the TV.
All jest aside, I never expected Sony to care about me, but I have been surprised by how brazenly customer-hostile they are. I have been boycotting Sony and spreading the word about just how crappy they are for the last several years.
With Sony in so much trouble, with a loss of credibility, and with the Japanese semiconductor industry somewhat disrupted,will the PS4 be cancelled?
After Sony's initial admission of the PSN breach, a lot of people pointed fingers of blame at the PS3 hackers without so much as a shred of evidence either way.
Now that it appears SOE was also penetrated at approximately the same time, I think it's fair to ask just where the penetration occurred, how much customer data was accessible across Sony's networks, and what (if any) internal safeguards were supposed to be in place. There could be multiple penetrations through several vulnerable points, but this looks even more coordinated and planned than initially suspected. If Sony hasn't investigated IT employees, it's time to start -- at minimum, someone has loose lips or careless behaviour. At worst, someone sold them out.
Really? Then why haven't we seen any massive credit card fraud yet? Sony is claiming at over 10 million CC numbers were "stolen" and that was from a hack done more than 2 weeks ago.
Perhaps there is a delay because reports will come from individuals not a massive company.
If these were career criminals, why haven't we yet seen the horror stories of millions of dollars of goods shipped to Romania, with average joes holding the bag on the bill?
Banks are pretty good at looking after their money. Haven't you ever had them contact you about suspicious purchases? I know of two people who have had multiple thousand dollar charges on their credit cards due to this. Interestingly enough one charge was at an Apple store for around $5000 which he joked would probably buy them two Ipads. The other works for Sony... go figure.
And why target Sony? Amazon would have far more data, as well as Facebook. Or, hack Microsoft's Xbox network which has more users in the USA. Why wasn't Nintendo targeted?
Perhaps how the hack was pulled off would shed some more light on this. Baseless speculation: Perhaps it has something to do with implicit trust of the client...
That doesn't sound career criminal to me, that sounds like vengeance from the user community after "Other OS" was removed.
" You mean that feature that was included so the PS3 could be classified as a computer to get it into certain countries under a different tax status which ultimately failed and they subsequently removed?
Notice how the PS3 ads are off TV? They need to change their slogan to "It only does nothing".
It only does identity theft.
Man blir trött av att gå och göra ingenting.
I couldn't tell if the spam was a result of an account of mine being revealed by Sony (I don't even recall having one, but who knows in this age of demanding accounts be created to access basic information at every website) or if the spammer was merely spoofing having the information. They used "playstation.sony.com" as the hostname in their certainly phony email address, so they're intimating something.
The email consisted of a few random characters (letters and digits) in the subject and a couple mroe in the body. Almost certainly a bounce-test. Likeley winnowing the database to improve its price on the market.
But, anything that can be bounce-tested can be traced to its source. I say we send in the SEALs when they get back from their two-week hookers, booze, and cigars mission.
As if I needed more reasons not to buy Sony.
Like a million souls crying out
"This is no surprise."
(You can tell that I'm not a great SW fan.)
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Hire more lawyers! STAT!
PCI/DSS standards clearly dictate that all customer data, when "at rest" (i.e. on disk, in a database, etc.) needs to be encrypted: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf: "Do use strong cryptography to render unreadable cardholder data that you store, and use other layered security technologies to minimize the risk of exploits by criminals" That Sony (and all the other businesses and institutions that have been hacked, left laptops to be stolen, etc.) doesn't do this is inexcusable. Had this data been properly encrypted, it would have been unusable to anyone. It's trivial to incorporate this encryption as a part of the design.