Sony Breach Gets Worse: 24.6 Million Compromised Accounts At SOE

← Back to Stories (view on slashdot.org)

Sony Breach Gets Worse: 24.6 Million Compromised Accounts At SOE

Posted by Soulskill on Tuesday May 3, 2011 @12:14AM from the over-100-million-served dept.

An anonymous reader writes with an update to yesterday morning's news that Sony Online Entertainment's game service was taken offline to investigate a potential data breach related to the PSN intrusion. SOE has now said that they too suffered a major theft of user data. "... personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain."

172 of 242 comments (clear)

Min score:

Reason:

Sort:

Just wondering by foma84 · 2011-05-03 00:16 · Score: 1

Is it that they are so unprepared that they didn't know it until today, or were so diabolic that they didn't tell anyone yet? Just feeling great for not having ANY money on the net.
1. Re:Just wondering by Dunbal · 2011-05-03 00:19 · Score: 1
  
  The only money I have on the 'net is the money I have given to my stock broker. So in theory I am "safe", having given my money to the biggest thief of all!
  
  --
  Seven puppies were harmed during the making of this post.
2. Re:Just wondering by houstonbofh · 2011-05-03 00:22 · Score: 4, Insightful
  
  All of those folks who decided to boycott Sony over any one of the rootkit fiascoes should be feeling a bit superior right now.
3. Re:Just wondering by Anrego · 2011-05-03 00:24 · Score: 1
  
  I've actually seen a surprisingly lack of "I told you so". I figured it would be every second comment at this point...
4. Re:Just wondering by Tsingi · 2011-05-03 00:34 · Score: 2
  
  I've actually seen a surprisingly lack of "I told you so". I figured it would be every second comment at this point...
  LOL! I'm with you there. I have a PS3, I plugged it into the net. Halfway through reading the Sony online licence agreement I unplugged it vowing never to plug it in again. I don't recall what it was that set me off exactly, it was years ago, but I haven't changed my mind.
  A journalist friend of mine has suggested the possibility that Sony is staging this "hacker" attack as a fortuitous propaganda stunt to make hackers look bad and possibly cover up a real infrastructure problem caused by Sony itself.
  Can't say it doesn't sound reasonable, after all, they are capable of writing and distributing viruses.
5. Re:Just wondering by Inda · 2011-05-03 00:36 · Score: 1
  
  Thanks! I do feel superior because of my purchasing habits!
  
  I am slightly concerned about my Xbox Live account - it's only a matter of time, ay?
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
6. Re:Just wondering by marcello_dl · 2011-05-03 00:49 · Score: 1
  
  Last sony product I owned is a second hand trinitron, but there's nothing to feel superior about.
  With sony rootkit, the consumers were screwed. With this fiasco the consumers were screwed, and most of them don't know what a rootkit or an otheros is.
  
  --
  ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
7. Re:Just wondering by gclef · 2011-05-03 00:50 · Score: 5, Interesting
  
  I haven't done business with Sony Online Entertainment at all for over a decade, and I'm apparently effected. I subscribed to Everquest way back in the day, but dropped somewhere around 2001. I just yesterday got an email from them that my personal information had been lost. So, don't feel so superior...even if you started boycotting them over the rootkits, they kept your information from before then, and then lost it to hackers.
8. Re:Just wondering by HAKdragon · 2011-05-03 01:10 · Score: 1
  
  As an owner of both the PS3 and 360, I called my bank and canceled my card last week, just in case. What really irratates me is that, at least through the web interface, you can not remove your credit card information from Microsoft's billing services - at least with an active Live Gold membership (depsite the fact the Live Gold account is already paid for)
  
  --
  "Our opponent is an alien starship packed with atomic bombs. We have a protractor."
9. Re:Just wondering by HAKdragon · 2011-05-03 01:13 · Score: 2
  
  Of course they are! The only thing that out numbers Slashdot community member's tin foil hats is their feeling of superiority and smugness! (I'm only half joking)
  
  --
  "Our opponent is an alien starship packed with atomic bombs. We have a protractor."
10. Re:Just wondering by jhoegl · 2011-05-03 01:18 · Score: 2
  
  So is death, what is your point?
  Be Aware, Protect, Defend. This has not changed since Man has become self aware.
11. Re:Just wondering by delinear · 2011-05-03 01:20 · Score: 5, Interesting
  
  I'm one of those who have been boycotting Sony since the rootkit fiasco but I'm not going to get preachy about it. For me, it's not some kind of crusade to get them to mend their ways or die, it's actually rather pure self-interest - I just know that they can't screw me over. I do wish a few more people would take note and Sony would mend their ways as a reaction. They used to be a decent company, their hardware was always top notch and I loved the PS1, it's just a bit sad to see them go down this route of profit above all.
12. Re:Just wondering by kannibal_klown · 2011-05-03 01:25 · Score: 2
  
  A journalist friend of mine has suggested the possibility that Sony is staging this "hacker" attack as a fortuitous propaganda stunt to make hackers look bad and possibly cover up a real infrastructure problem caused by Sony itself.
  While it makes *some* sense, I don't buy it.
  My feeling is that this whole fiasco is hurting Sony's bottom line more than the whole hacker-awareness / scapegoat thing could even provide in the long-term.
  They're losing a lot of customer trust and customer loyalty, and I have to assume this is hurting their stock price. Once is a shame, twice (so close together) is a disaster.
  While it's true that companies probably want to shine a large spot-light on hackers, identity theft, etc there has to be some risk management. If this were true, then Sony is performing a kamikaze with way too many aspects to be worth it even in the long term.
13. Re:Just wondering by Jawnn · 2011-05-03 01:25 · Score: 1
  
  I've actually seen a surprisingly lack of "I told you so". I figured it would be every second comment at this point...
  Complete waste of time. We said it. Everyone knows it. Why bother to observe the obvious.
  Oh, wait... You mean the network and security engineers at Sony who had been telling their bosses the needed a realistic budget for security. Yeah, I'd have expected those poor saps to have gone public by now.
14. Re:Just wondering by Anonymous Coward · 2011-05-03 01:28 · Score: 1
  
  Apache 2.2.3 is also the version provided with Red Hat Enterprise Linux 5 and would be fully patched if the admins installed all the updates.
15. Re:Just wondering by torgis · 2011-05-03 01:38 · Score: 2
  
  A journalist friend of mine has suggested the possibility that Sony is staging this "hacker" attack as a fortuitous propaganda stunt to make hackers look bad and possibly cover up a real infrastructure problem caused by Sony itself.
  While it makes *some* sense, I don't buy it.
  Agreed. It just does not sound plausible. Sometimes it's fun to attribute stuff like this to some scheming corporate overlord, sometimes what appears to be poorly handled public relations nightmare is, in fact, a poorly handled public relations nightmare.
16. Re:Just wondering by torgis · 2011-05-03 01:40 · Score: 1
  
  As an owner of both the PS3 and 360, I called my bank and canceled my card last week, just in case. What really irratates me is that, at least through the web interface, you can not remove your credit card information from Microsoft's billing services - at least with an active Live Gold membership (depsite the fact the Live Gold account is already paid for)
  I noticed that too and it really irritates me. You have to call their customer service number and jump through a ton of hoops to unsubscribe, while they try to talk you into paying for additional time. It was actually easier for me to just cancel my credit card - I try to cycle through a few per year anyway for reasons such as this.
17. Re:Just wondering by torgis · 2011-05-03 01:43 · Score: 1
  
  Hah! I have an ancient email account I still check once in a while and I got the same notice. I haven't played Everquest since late 2000 or early 2001. Fortunately the only thing they have that's still the same is my name and that old email address. Everything else (credit cards, address, etc...) has changed multiple times since then.
18. Re:Just wondering by erroneus · 2011-05-03 01:46 · Score: 4, Insightful
  
  I would lay my bet on "Sony doesn't want to tell anyone how bad it is" until they are required to do so. This is very much the same pattern of behavior we see with the Fukushima nuclear plant. Please believe me when I say that this behavior is quite typical of Japanese companies. It is not "diabolical" as you may think but is instead considered "wise" not to share information that is not required and may be potentially damaging to the company.
  But to Sony I say "FEAR YOUR CUSTOMERS." You are not in control as much as you seem to think you are. They control the dollars in their pockets (though not necessarily those in their bank or credit accounts as you well know) and they choose what they buy from you. And when you make them angry, and you never know exactly who are are making angry, these anonymous customers, you just might make some who are dangerous to you very angry in the process.
  I am guessing that this is a very focused attack on Sony. Was it because of their shoddy products? Their involvement in the recording industry? Their abuse of customers in general? It could be any or all of these things or more. So yeah, Sony... you forgot "the customer is always right" and that happy customers are your best customers.
  And if other companies haven't figured out by now, "you are next" if you don't start taking care of your customers and keep abusing them as you do. I am speaking to AT&T, Verizon and any other company that is known for being abusive to customers. Just wait and see.
  I'm just glad I pulled away from Sony so long ago. I didn't have much if any data at risk this time around, so I'm good to go for now. It's all good entertainment for me at the moment.
19. Re:Just wondering by BLKMGK · 2011-05-03 01:59 · Score: 1
  
  Yup, and they will autorenew you too - even if the expiration on the card has passed. Yes, they did it to me! The card is now long gone and so is my "gold" membership and I doubt I'll ever buy another after the experience I had trying to cancel this one. Thankfully Sony doesn't have any such details from me...
  
  --
  Build it, Drive it, Improve it! Hybridz.org
20. Re:Just wondering by samjam · 2011-05-03 02:02 · Score: 2
  
  Cancelling your card is NOT the same as cancelling the service that you way paying for with the card.
  They may just send the debt collectors around instead.
  if you want to cancel a service, make sure you do just that. Cancelling the card is good too, in case they don't manage to stop taking payments, but it's not a substitute.
  
  --
  blog.sam.liddicott.com
21. Re:Just wondering by Tsingi · 2011-05-03 02:05 · Score: 1
  
  Agreed. It just does not sound plausible. Sometimes it's fun to attribute stuff like this to some scheming corporate overlord, sometimes what appears to be poorly handled public relations nightmare is, in fact, a poorly handled public relations nightmare.
  I was suggesting that Sony might be using this story to cover up another problem, and so cash out on the propaganda, not that they specifically creating this problem to attack hackers. I agree that that would be overboard and unrealistic.
22. Re:Just wondering by ilsaloving · 2011-05-03 02:05 · Score: 1
  
  That's because there's no point. People continue to buy Sony despite their antics. Those of us who know better avoid sony like a plague, and then watch, wait, and roll our eyes as another batch of people get screwed over.
23. Re:Just wondering by torgis · 2011-05-03 02:12 · Score: 1
  
  Cancelling your card is NOT the same as cancelling the service that you way paying for with the card.
  They may just send the debt collectors around instead.
  if you want to cancel a service, make sure you do just that. Cancelling the card is good too, in case they don't manage to stop taking payments, but it's not a substitute.
  Depending on the service, this is true. But I haven't heard from them in about 9 years so canceling the card must have done the trick.
24. Re:Just wondering by wintercolby · 2011-05-03 02:21 · Score: 1
  
  Meh, I've been boycotting them since the MP3 lawsuits, and didn't give them any of my info before then.
  
  --
  Most ignorance is vincible ignorance. We don't know because we don't want to know. --Aldous Huxley
25. Re:Just wondering by NevarMore · 2011-05-03 02:26 · Score: 1
  
  , and I have to assume this is hurting their stock price. Once is a shame, twice (so close together) is a disaster.
  http://www.google.com/finance?q=Sony - Not sure which Sony to look at, but it seems that it is.
26. Re:Just wondering by SharpFang · 2011-05-03 02:37 · Score: 1
  
  The fact you have not -given- money doesn't mean there is no money to be stolen from you. Only if you're so far in debt that the most dubious credit agency refuses to lend you money you can't be stolen from. Otherwise you may go day to day happily until debt collector knocks on your door with demand to pay the loan back - the loan you never took.
  
  --
  45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
27. Re:Just wondering by Hijacked+Public · 2011-05-03 02:37 · Score: 4, Insightful
  
  Sony did mend their ways. After the rootkit fiasco for sure, but after most of the other bonehead moves as well. They apologized and promised to do better and all that, like they all do.
  But, like they all do, over time the same forces that led them to this will lead them there again. Corporate structures being what they are it simply isn't possible to communicate an intangible risk like 'what if a hacker breaks in and copies all our data' well enough to garner the kind of funding to implement real security. At least not at a company the size of Sony. And certainly their users have proven that at every turn they are willing to sacrifice security for convenience and price and features. This site has a Sony gaffe poll on the front page, and the readership is better educated about tech issue than most, yet how many PS3s per capita do you think there are here?
  So Sony has little motivation to really change and I doubt they are alone in having lax security.
  I am looking forward to the show they will put on after this is over. Figure they will hire Bruce Scheiner and Theo DeRaadt. Fireworks. Maybe a hovercraft pulls up to Sony HQ and the team that took Bin Laden pours out, sets up a perimeter. Sony's CEO stomps onto the stage in a mecha and declares war on hackers. It is going to be amazing.
  
  --
  "Sacrifice for the good of The State" - The State
28. Re:Just wondering by Sawbones · 2011-05-03 02:47 · Score: 1
  
  Since it's been over a decade for me, I honestly can't remember - what information did they even collect for Everquest? Yeah, they'd have massively outdated address and phone information, but I consider that already essentially public information. What else, birth date? Certainly not mother's maiden name or SSN or anything along those lines. Does anyone remember?
  
  --
  
  Ad in classifieds: Pandora's Box (no box) $5
29. Re:Just wondering by Skuld-Chan · 2011-05-03 02:51 · Score: 1
  
  A journalist friend of mine has suggested the possibility that Sony is staging this "hacker" attack as a fortuitous propaganda stunt to make hackers look bad and possibly cover up a real infrastructure problem caused by Sony itself.
  You think the damage in their reputation, their online branding for SOE etc is worth this? If true they have some monumentally stupid people working for them.
30. Re:Just wondering by Psmylie · 2011-05-03 02:51 · Score: 1
  
  You're right about how hard it sometimes is getting executives to see how important security is to a company. Which is why examples come in so handy. So, the one thing about this that could be considered a silver lining is that tons of other companies are watching what's happening and thinking, "Gosh, maybe we should look at our own security, because we don't want to be the next SOE"
  The problem is, that's a lesson that tends to be forgotten when it's time to write up the next budget.
  
  --
  
  psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo
31. Re:Just wondering by kelemvor4 · 2011-05-03 02:59 · Score: 1
  
  http://finance.yahoo.com/echarts?s=SNE+Interactive#chart3:symbol=sne;range=3m;indicator=volume;charttype=line;crosshair=on;ohlcvalues=0;logscale=on;source=undefined This one makes it a little more obvious. I think tomorrow will be a good day for me to buy some Sony stock after the new news gets out everywhere ;)
32. Re:Just wondering by Anrego · 2011-05-03 03:06 · Score: 1
  
  I am looking forward to the show they will put on after this is over. Figure they will hire Bruce Scheiner and Theo DeRaadt. Fireworks. Maybe a hovercraft pulls up to Sony HQ and the team that took Bin Laden pours out, sets up a perimeter. Sony's CEO stomps onto the stage in a mecha and declares war on hackers. It is going to be amazing.
  That seriously made my day! Thanks :)
33. Re:Just wondering by CrashandDie · 2011-05-03 03:12 · Score: 1
  
  I'm one of those who have been boycotting Sony since the rootkit fiasco but I'm not going to get preachy about it.
  You just did.
34. Re:Just wondering by Kierthos · 2011-05-03 03:15 · Score: 1
  
  Just to add to the fun, phishers are just sending out mass e-mails to anyone and everyone over this. I received one today, and I don't even have a playstation, much less a PSN account. (Note: check your links in any e-mails.... anything that goes to *.innovyx,net... don't click the link.)
  
  --
  Mr. Hu is not a ninja.
35. Re:Just wondering by ifiwereasculptor · 2011-05-03 03:28 · Score: 1
  
  Interesting chart. Seems to me like the recent price drop is nothing atypical, though, just common market variation. Nothing like 2009 - that was something to be excited about. Actually, aside from a low here and there, Sony's stock price seems to have been increasing pretty steadily. I'd like to be wrong, though. Thank god I'm not a professional market analyst. Not that it would make my predictions any more trustworthy, of course - I just felt like expressing my joie de vivre.
36. Re:Just wondering by ifiwereasculptor · 2011-05-03 03:30 · Score: 1
  
  If true they have some monumentally stupid people working for them.
  I wasn't taking that conspiracy theory seriously until now, but you make a compelling argument.
37. Re:Just wondering by webdog314 · 2011-05-03 03:47 · Score: 2
  
  So our choices are, "It's those nasty, evil, hackers... taking advantage of Sony's (obviously) inadequate security"... or "It's Sony's (obviously) inadequate security... attracting those nasty, evil, hackers." Meh. Either way, Sony blew it, and doesn't deserve to be trusted anymore. We should have learned with the whole rootkit fiasco, but we do like our gaming... apparently more than our credit cards.
38. Re:Just wondering by Just+Some+Guy · 2011-05-03 03:47 · Score: 2
  
  wow man that's harsh. you're saying that if a company doesn't give you good customer service, then somebody will hack the company, steal millions of account records, and cause millions if not more in damages and lost business?
  If he's not, I will: yes, that's exactly correct. When companies piss enough people off, someone goes gunning for their servers. Neither erroneus nor I are claiming that this is the correct, moral, or legitimate response, just that it's a likely outcome. Sony and their peers have worked hard to remove all legitimate means of redress, and now people are pursuing the only avenues left open to the average guy without a few megadollars to futilely pursue them in court. What else would you expect to happen, really?
  
  --
  Dewey, what part of this looks like authorities should be involved?
39. Re:Just wondering by mordenkhai · 2011-05-03 04:00 · Score: 1
  
  I got my email as well, but its been probably 5 years since I played any game on there, and I signed up for EQ at launch. I'll double check the info today when I get a chance to make sure it is nothing important, ie old CC, change password etc.
40. Re:Just wondering by Chibi+Merrow · 2011-05-03 04:07 · Score: 1
  
  Sony has gone a bit beyond "doesn't give you good customer service".
  
  --
  Maxim: People cannot follow directions.
  Increases in truth directly with the length of time spent explaining them
41. Re:Just wondering by networkBoy · 2011-05-03 04:13 · Score: 1
  
  Corporate structures being what they are it simply isn't possible to communicate an intangible risk like 'what if a hacker breaks in and copies all our data' well enough to garner the kind of funding to implement real security. At least not at a company the size of Sony
  I work for a company of roughly the same size, in a similar industry (hardware not content). I am currently one of the people in charge of validating our security measures. There are several of us, and I am likely near to bottom of that particular totem pole, yet I have the ability to stop the launch of the product I am working on at a cost of likely millions of dollars if I find an issue really late in the game. While the product may ultimately ship even if I find an issue, it will not ship till upper management is fully appraised by the leaders of my team, and by what I've seen already they have substantial power to force delays as needed to provide *real* security, not the illusion of it. So not all is lost in the big business world.
  -nB
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
42. Re:Just wondering by kevinNCSU · 2011-05-03 04:19 · Score: 1
  
  Well, if they "decided to boycott" then that means they paid for Sony stuff beforehand and their equally at risk as they'd still have their info in the database. Otherwise they just decided to keep on doing exactly what they were doing anyways and their the type of internet people that would already be feeling superior about it anyways ;)
43. Re:Just wondering by jdgeorge · 2011-05-03 04:52 · Score: 1
  
  wow man that's harsh. you're saying that if a company doesn't give you good customer service, then somebody will hack the company, steal millions of account records, and cause millions if not more in damages and lost business?
  If he's not, I will: yes, that's exactly correct.
  Really? You, or some other vengeful hacker will take it out on Sony by stealing from millions of other people? I don't think that's what you mean.
  I think the theft of people's personal data was perpetrated by career criminals, not by wronged consumers.
44. Re:Just wondering by xystren · 2011-05-03 04:55 · Score: 1
  
  [Speculation:ON]
  Wouldn't it just be the most poetically ironic if the mechanism of the breech was due to one of there staff putting in a CD with the DRM root-kit into one of their connected system, which then allowed the propagation of further exploits?
  [Speculation:OFF]
  Their entire response with the root-kit fiasco never sat well with me. Their apology was more like a child that was force to do so - I didn't feel they really had remorse or felt what they did was wrong. Afterall, who would even care if they had a root-kit on their system?
45. Re:Just wondering by praxis · 2011-05-03 05:07 · Score: 1
  
  Have you tested this so-called power? I find most business have sensible policies like that outlined, but nine times out of ten upper management will still decide the risk is worth the cost.
46. Re:Just wondering by praxis · 2011-05-03 05:08 · Score: 1
  
  Not sure what definition of preach you subscribe to, but he explained his personal reasons for his personal boycott. He wasn't preachy about it.
47. Re:Just wondering by praxis · 2011-05-03 05:12 · Score: 1
  
  I'm willing to be saying something like "would you mind sending me in writing that you refuse to cancel my account to the following address (pause)" might work.
48. Re:Just wondering by Maxo-Texas · 2011-05-03 05:28 · Score: 1
  
  Yup. Seen this many times in my own company.
  Talked about risks but until there was a break of some kind, it was ignored.
  To be fair- they may hear about 100's of risks and how do they prioritize? Do they spend millions addressing risks which were over-ranked by their associates? You could go bankrupt that way and still get hit by what you thought was a lower priority risk that you put later in the chain.
  It's not right- but it's why they do it.
  FYI (This is why they ask companies like Gartner and Gartner says, "This is a risk" or "Not a risk yet" and they go with that. Gartner has wider industry experience than one company- is maybe 10% more likely to be correct and 90% likely to have about the same level of clue they do-- but their butts are covered legally.)
  
  --
  She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
49. Re:Just wondering by networkBoy · 2011-05-03 05:42 · Score: 1
  
  Yup.
  We do exercise the power and have done so more than once. That said, it wasn't always like that. Management got burned some number of years ago. They learned their lesson when forced to. But the core structure of how things work here has changed such that the "old ways" really can not come back.
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
50. Re:Just wondering by Opportunist · 2011-05-03 05:45 · Score: 1
  
  *shrug*
  I just stopped caring. There's only so much bandwidth I'm willing to sacrifice to preaching the deaf.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
51. Re:Just wondering by Tridus · 2011-05-03 05:47 · Score: 1
  
  This is actually the exact reason why I buy so few online games for the Xbox. I'd buy a lot more, but I don't want to leave Live subscribed when I'm not using it (because it costs money) and I don't want to activate it now because doing so means eventually I have to call their horrible customer service to cancel it.
  Why is there no cancel button in the UI like there is in any sane product?
  
  --
  -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
52. Re:Just wondering by praxis · 2011-05-03 05:50 · Score: 1
  
  Excellent. Now if only more business would take a similar stance.
53. Re:Just wondering by Opportunist · 2011-05-03 05:51 · Score: 1
  
  As someone who has been in C-Level positions for some time now I can tell you with some confidence: There is no such thing as a "scheming corporate overlord". It's more a lot of people with very little actual insight in their products who view the whole thing from a bird's view more than from within. I guess one could compare it to playing a RTS game. They only know that there's some product coming out of their factory after n-time and that this product will cost x and sell for y. I'm not so sure anyone at C-Level (except maybe the CISO, who is most likely, like in most non-sec companies, a subordinate of the CIO, and even more likely not even, at least not directly, part of the process that deals with online security) of Sony actually knows what's going on, let alone know what to do now but try to PR the whole thing away.
  I would be very surprised anyone at C-Level knew before the incident about the problem. And even more if something like this would be used in a PR-Stunt. It would be VERY out-of-the-box, and that kind of thinking isn't part of their mindset.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
54. Re:Just wondering by Tangential · 2011-05-03 05:52 · Score: 1
  
  Yep. karma can be a bitch...as Sony is finding out now.
  
  I've somewhat boycotted them since the rootkit days.
  
  I've definitely avoided their branded items, but its pretty hard to avoid Sony parts inside of other products or Sony movies from sources such as Netflix.
  
  --
  Suppose you were an idiot. And suppose you were a member of congress. But then I repeat myself. -- Mark Twain
55. Re:Just wondering by Opportunist · 2011-05-03 05:53 · Score: 1
  
  Sony dropped the ball here. Big time. But don't be too hard on their online security team. Most likely they knew about it, reported it, didn't get the budget to fix it and will now have to bear the fallout.
  It's like living on an ejector seat with someone else having the button to it. Not really a good feeling, I can tell you.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
56. Re:Just wondering by Opportunist · 2011-05-03 05:54 · Score: 1
  
  Wait for the lawsuits...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
57. Re:Just wondering by networkBoy · 2011-05-03 06:16 · Score: 1
  
  I'm fairly sure it will have to be learned the same way. Get burned, cost the execs money, things change.
  Sad. We teach our children (hopefully) to learn from others' mistakes. Bug business is like a three year old. Won't learn till burned by the stove.
  -nB
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
58. Re:Just wondering by wwphx · 2011-05-03 06:25 · Score: 1
  
  I've been boycotting Sony electronics for 30 years. I worked audio/video retail sales for a few years, and Sony consistently had a higher return rate than other brands and was priced higher. Not a good value in my book: too much sizzle and not enough steak.
  
  --
  When you sympathize with stupidity, you start thinking like an idiot.
59. Re:Just wondering by dasherjan · 2011-05-03 06:26 · Score: 1
  
  I'm in the Same boat. I stopped playing Everquest in 2003 and I'm still affected. My address may have changed but they have everything else. According to the email only customers out of the country have to worry about credit card information being stolen but given their past reputation I can't give them the benefit of the doubt.
60. Re:Just wondering by kannibal_klown · 2011-05-03 06:27 · Score: 1
  
  I had a really good Sony DLP HDTV (Digital Projector). The lamp lasted forever and the picture was great. Sure it was "older" tech and "only" ran @ 720P but it was great.
  A few years later my parents bought a Sony DLP because they liked mine so much. The picture quality wasn't as good (even though it was1020P) and the lamp blew out really quickly (I think just over a year). Finding a replacement was a major pain and now the TV is slowly dying (green spot growing on the screen).
  My TV purchase was some years back, I've switched brands since. The only physical Sony product I've purchased since then was a PS3 (for which I purchased some games).
  However I also signed up for PSN *and* their DC Universe Online PC game... so I'm probably impacted by all of this.
  Time to change CC numbers.
61. Re:Just wondering by dasherjan · 2011-05-03 06:32 · Score: 1
  
  From what I remember. They had two areas of info they collected. There was the Sony account that had the name, address, phone number and birth date that you gave them. Then they had the credit card info that could be completely different.
62. Re:Just wondering by Lost+Race · 2011-05-03 06:35 · Score: 1
  
  Yep, beautifully designed hardware with hit-and-miss QA, poor reliability and lots of weird bugs. I've forcefully shitcanned in frustration way too much Sony hardware to waste any more money on them.
  Rootkits, SLAPP lawsuits, and customer data breaches are just icing on the "cake".
63. Re:Just wondering by houstonbofh · 2011-05-03 06:51 · Score: 1
  
  Sony did mend their ways. After the rootkit fiasco for sure, but after most of the other bonehead moves as well. They apologized and promised to do better and all that, like they all do.
  And then promptly released another rootkit on the Microvault thumb drives. They did not mend anything. They still think of the customer as the enemy. I will not do business with people like that.
64. Re:Just wondering by houstonbofh · 2011-05-03 06:52 · Score: 1
  
  Of course... That was why I was not surprised to see another rootkit from them later. Remember the Microvault drives?
65. Re:Just wondering by Stupendoussteve · 2011-05-03 07:31 · Score: 1
  
  Of course they keep it, that's standard practice. If you ever wanted to start again it's simply a matter of logging in and putting in a new credit card number.
66. Re:Just wondering by Dunbal · 2011-05-03 21:07 · Score: 1
  
  At which point I would say "show me the note". You know, the one with my signature on it.
  
  --
  Seven puppies were harmed during the making of this post.
67. Re:Just wondering by SharpFang · 2011-05-03 23:39 · Score: 1
  
  I wish I could have your level of belief in people's inability to accurately forge signatures, and the accuracy and reliability of graphology.
  
  --
  45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
68. Re:Just wondering by Miertam · 2011-05-04 04:08 · Score: 1
  
  Sony already declared war on hackers that's what started all this. What annoys me is Sony picked the fight without checking that their security was up to snuff.
69. Re:Just wondering by Dunbal · 2011-05-04 04:57 · Score: 1
  
  This very fact is what is tying up thousands of foreclosures right now, all across the US. They can't find the signatures. Therefore the mortgages are not valid, and can't be foreclosed. It's as simple as that. One of the principles of a contract is that it has to be signed. Good luck enforcing one if it hasn't been. I owe you how much? OK, show me the note. Now if you're an idiot and go posting your signature online, or giving it to people like UPS or your car rental agency, well, too bad for you. You are allowed to have more than one signature.
  
  --
  Seven puppies were harmed during the making of this post.
70. Re:Just wondering by AlienIntelligence · 2011-05-05 16:15 · Score: 1
  
  Tail wagging the dog?
  -AI
  
  --
  For me, it is far better to grasp the Universe as it really is than to persist in delusion
See by Dunbal · 2011-05-03 00:18 · Score: 1

This is what happens when someone manages to jump the fence of your "walled garden".

--
Seven puppies were harmed during the making of this post.
They are upset... by houstonbofh · 2011-05-03 00:20 · Score: 5, Insightful

They are just pissed that somebody stole a lot of personal data, and took over a bunch of computer systems, and it wasn't them.
1. Re:They are upset... by torgis · 2011-05-03 01:47 · Score: 1
  
  They are just pissed that somebody stole a lot of personal data, and took over a bunch of computer systems, and it wasn't them.
  To quote a great man:
  "They wanted to dominate the world. Bullshit! That's our fuckin' job!"
2. Re:They are upset... by eepok · 2011-05-03 03:05 · Score: 3, Insightful
  
  How did this get modded "5, Insightful"? Are those who modded this post agreeing with sentiment (Sony hate) or do they actually believe Sony Online Entertainment wants to steal personal data?
3. Re:They are upset... by Anonymous Coward · 2011-05-03 04:26 · Score: 2, Insightful
  
  Probably has something to do with Sony's reputation before these breeches were known.
  http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
4. Re:They are upset... by eepok · 2011-05-03 04:52 · Score: 1
  
  Calling the Sony rootkit an attempt at computer takeover is like calling the duplication of an MP3 theft.
5. Re:They are upset... by eepok · 2011-05-03 06:21 · Score: 1
  
  Touche. +1
6. Re:They are upset... by eepok · 2011-05-03 06:24 · Score: 1
  
  No. I just have a minimum standard for vocabulary as it relates to crime.
  Copying an album = copyright infringement, not theft.
  The Sony rootkit was intended to prevent copyright infringement, not create a botnet or steal personal information.
  You can't have a double standard for vocabulary AND expect people to take you seriously.
7. Re:They are upset... by eepok · 2011-05-03 06:26 · Score: 1
  
  Addendum: "The Sony rootkit was intended to prevent copyright infringement /through illegal means/."
8. Re:They are upset... by houstonbofh · 2011-05-03 06:37 · Score: 1
  
  Did you forget the rootkit on the secure thumb drives right after? If you make the same "mistake" over and over, it ain't a mistake.
9. Re:They are upset... by houstonbofh · 2011-05-03 06:39 · Score: 1
  
  Actually, two rootkits, and a subpoena for reading a blog or looking at a video. And this is not touching on the RIAA and MPAA stuff they promote.
10. Re:They are upset... by houstonbofh · 2011-05-03 06:41 · Score: 1
  
  Why does everyone forget the second one right after? http://www.bit-tech.net/news/2007/09/04/sony_admits_to_microvault_rootkit_problem/1 I consider that one worse, as you know it was intentional.
11. Re:They are upset... by eepok · 2011-05-03 07:00 · Score: 1
  
  Really? What about the PSN and SOE /customers/? You know, the ones who just had their financial security compromised? Is that part of the karma and justification?
  I swear, it's like no one's thinking of the MILLIONS of accounts, but focusing on "Oh snap! Corporate PR fiasco!"
12. Re:They are upset... by sjames · 2011-05-03 08:36 · Score: 1
  
  Well, they already committed a mass root-kit attack a few years ago and followed it up with some consumer fraud. It's entirely believable that such an ethics challenged organization like that would use identity theft if they thought they could get away with it. Anything for shareholder value you know!
Best Practices by Anonymous Coward · 2011-05-03 00:22 · Score: 5, Insightful

Hey guys, let's keep around credit/debit card billing data from 2007 all online. Deleting it after 6 months of inactivity could hurt sales!11! There's no cost to keeping it around, nothing that would pass an accountant anyway. Let's pay ourselves a bonus for our forward thinking.
1. Re:Best Practices by mwvdlee · 2011-05-03 00:48 · Score: 2, Interesting
  
  It's probably tax laws requiring them to hang on to all financial transaction details for a number of years.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
2. Re:Best Practices by atisss · 2011-05-03 00:58 · Score: 1
  
  well, it wouldn't bother me if they had my credit card number from 2007. Most credit cards have validity of couple years, so I would have changed them already.
3. Re:Best Practices by capnkr · 2011-05-03 00:59 · Score: 4, Insightful
  
  They could *easily* do that in a manner which did not allow for the data to be 'net accessible, and therefore exploitable or fairly easily stolen if their network system became compromised. They could have kept it on non-networked (or non-running) machines, external/removable digital storage, dead-tree hardcopies in a file drawer or stack of boxes... There's no need to have that sort of data instantly - or even very easily - available.
  
  --
  "...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
4. Re:Best Practices by Dunbal · 2011-05-03 01:17 · Score: 1
  
  Er, the credit card number does not change when your card is renewed. Only the expiration date and the security number do. The expiry date can probably be worked out, and that just means they have to guess a 3 (or 4 depending on the company) digit security number.
  
  --
  Seven puppies were harmed during the making of this post.
5. Re:Best Practices by Jawnn · 2011-05-03 01:27 · Score: 1
  
  It's probably tax laws requiring them to hang on to all financial transaction details for a number of years.
  No, it isn't. Think harder...
6. Re:Best Practices by Bengie · 2011-05-03 01:33 · Score: 1
  
  mine changed(bank card anyway).. boo-yaa. I use a credit union and they keep up to date with lots of security stuff.
  Heck, they even have their own numbering system for IDs as not to ask for your SSN/last-4, except in private rooms with an employee.
7. Re:Best Practices by ProppaT · 2011-05-03 02:09 · Score: 1
  
  There's a number of websites, including Amazon.com, that have a crapload of old expired credit cards of mine on file. I don't care, they're expired and I'm too lazy to delete them. On the plus side, they also have all of my addresses from the past 10 years stored...which has actually been a life saver in the past when I couldn't remember an old address :p
  
  --
  Wise men say, "Forgiveness is divine, but never pay full price for late pizza."
8. Re:Best Practices by aztracker1 · 2011-05-03 03:48 · Score: 1
  
  Not only that, but the relevant purchase information, even including the type of CC and the last 4 of the card number would be enough... it's not like businesses keep track of the serial numbers for every cash bill that crosses a register... It's simply a horrible concept. If they allowed for partial refunds, then keeping the information long enough for a refund, fine. If the have recurrent billing.. this should be a walled system (software tier, not just layer) that has a simple API for the front end systems to be able to access as-needed, with simple rules. The data should be encrypted with a per-record key. You could even have a crypto service that's only available from the billing service's tier, to decrypt a single record for 1-time use in recurrent billing scenarios. It isn't rocket science...
  
  It bugs me to no end that programmers, architects and CS engineers will design a software system that pretty much ignores having physical separation of service tiers for things like this.
  
  --
  Michael J. Ryan - tracker1.info
9. Re:Best Practices by GooberToo · 2011-05-03 04:39 · Score: 1
  
  It bugs me to no end that programmers, architects and CS engineers will design a software system that pretty much ignores having physical separation of service tiers for things like this.
  Frequently its someone who is completely out of touch with technology and paid 10x more who make these mandates of engineers.
10. Re:Best Practices by praxis · 2011-05-03 05:44 · Score: 1
  
  Or just ask the customer to re-enter their payment information. Especially since after 12 years it is likely to be different anyhow.
11. Re:Best Practices by praxis · 2011-05-03 05:46 · Score: 1
  
  Amazon does their due diligence in storing the numbers though. Payment information is tokenized in a separate service and not accessible on the network. Only one-way "please charge instrument with alias X Y amount of Z currency" requests go to a proxy service.
How far back does it go? This far... 8 years by Anonymous Coward · 2011-05-03 00:28 · Score: 5, Interesting

I haven't played everquest since 2002 and I got a notice. Luckily for me all that credit card information is outdated and wrong. Event the mailing address is wrong. How someone was able to access this data is beyond me. I cannot, for any reason, think of any justification Sony could have to store something in a manner that a developer could access at this level.
Sony is going to have one hell of a class action lawsuit in it's hands.
1. Re:How far back does it go? This far... 8 years by nedlohs · 2011-05-03 01:26 · Score: 1
  
  Nothing except my name (and date of birth if they have that) is the same as in 2002. Heck I've moved countries and changed citizenship since then...
  But a lawsuit is interesting from the perspective of required arbitration being ruled valid recently. If the EULA in question is that old, and you are no longer a subscriber would something like this now be covered by it?
2. Re:How far back does it go? This far... 8 years by Tei · 2011-05-03 02:00 · Score: 1
  
  Developers? no, that database was probably a backup somewhere inside some computer on the network, so the attacked managed to get shell inside PSN, and from there open other systems, included this database one.
  
  --
  -Woof woof woof!
3. Re:How far back does it go? This far... 8 years by brain_lapse · 2011-05-03 02:44 · Score: 1
  
  Funny because when I tried to retrieve my information a few months ago to fire up Everquest again they couldn't find any of my information. Name, email, username, nope, nothing existed. I was told to start a new account instead.
4. Re:How far back does it go? This far... 8 years by popoutman · 2011-05-03 04:58 · Score: 1
  
  Of course - depending on your country of domocile, EULAs are meaningless things that have no legal standing.
  
  --
  - This sig deliberately left blank. Nothing to see, move along.
Password by ifrag · 2011-05-03 00:30 · Score: 4, Insightful

At this point, I'm almost surprised the password wasn't stored in plain text. Then again, given the magnitude of the breach, I'm betting on it not being very hard to break the hashed password.

--
Fear is the mind killer.
1. Re:Password by mwvdlee · 2011-05-03 00:49 · Score: 1
  
  I'm assuming Sony just invalidated all passwords after the breach and disallowed passwords with the same hash as the previous one?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
2. Re:Password by torgis · 2011-05-03 01:50 · Score: 1
  
  At this point, I'm almost surprised the password wasn't stored in plain text. Then again, given the magnitude of the breach, I'm betting on it not being very hard to break the hashed password.
  I would be very surprised if it were actually even hashed properly. Probably using a tried and true password protection scheme called ROT-13.
3. Re:Password by torgis · 2011-05-03 01:52 · Score: 1
  
  I'm assuming Sony just did nothing after the breach and allowed passwords with the same hash as the previous one?
  Fixed that for ya.
Dear Sony Infiltrator... by daitengu · 2011-05-03 00:31 · Score: 5, Funny

If the person who stole the SOE accounts could get in contact with me, I've been trying to reset my SOE password for 2 months now, and it hasn't worked. Could you tell me what my password is?
1. Re:Dear Sony Infiltrator... by equex · 2011-05-03 01:05 · Score: 1
  
  The password is hunter2.
  
  --
  Can I light a sig ?
2. Re:Dear Sony Infiltrator... by SilentStaid · 2011-05-03 01:20 · Score: 2, Funny
  
  To think, this whole time his hunter2ing password was hunter2...
  
  /ducks
3. Re:Dear Sony Infiltrator... by Anonymous Coward · 2011-05-03 02:42 · Score: 2, Funny
  
  Just use ' OR 1=1 --
4. Re:Dear Sony Infiltrator... by ciderbrew · 2011-05-03 04:56 · Score: 1
  
  + 1 mod of :)
5. Re:Dear Sony Infiltrator... by Zanadou · 2011-05-04 18:03 · Score: 1
  
  hunter1
A lesson for companies by modzer0 · 2011-05-03 00:33 · Score: 1, Redundant

Moral of the story is to not piss of a very capable hacker community buy going after their heroes.
1. Re:A lesson for companies by foma84 · 2011-05-03 00:46 · Score: 3, Interesting
  
  This is very wrong. As far as anyone can know there is no correlation between the GeoHot affair and this one. Also if that personal data is exposed it'd harm large parts of that same comunity. Unless this id theft was organized only to prove a point (which is very very unlikely imo), this is no more that a plain theft. As in made by criminals. Only upside is that it exposed security issues, maybe as a lesson for the future. Or maybe not.
2. Re:A lesson for companies by marcello_dl · 2011-05-03 01:01 · Score: 1
  
  I guess law enforcement will be very happy to share the knowledge that make you JMP to this conclusion.
  This seems the work of crackers, the average hacker is more likely to get a handful of credit card details and publish the breach telling how his skillz went through mighty sony defense.
  
  --
  ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
3. Re:A lesson for companies by Dunbal · 2011-05-03 01:22 · Score: 3, Funny
  
  Belong too? Another victim of Muphry's Law.
  
  --
  Seven puppies were harmed during the making of this post.
4. Re:A lesson for companies by Aladrin · 2011-05-03 01:29 · Score: 1
  
  Sony attacked a hacker. Very soon afterwards, a bunch of hackers attacked Sony.
  It's hard -not- to see causation there. It's perfectly possible this was just someone who wanted the account info and didn't have a grudge, but it's easier to assume they are related.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
5. Re:A lesson for companies by IICV · 2011-05-03 02:48 · Score: 2
  
  What's really funny is that this whole fiasco would have never happened if Sony hadn't decided to disable the OtherOS function on existing PS3s. This led to hackers breaking open the PS3, which hadn't happened so far because the people who were capable of such feats were happy with OtherOS - and then, it seems that with hacked PS3s, the Sony Online servers were hacked relatively quickly.
  Just imagine - if they hadn't pulled that crap with OtherOS, the PS3 could probably have gone unhacked until it was retired and replaced with the next generation Sony console.
6. Re:A lesson for companies by Acapulco · 2011-05-03 02:48 · Score: 1
  
  Well, to be fair, I wouldn't consider the guys(or girls?) that broke into Sony to be in the same category/class as GeoHot. I would say GH as no finacial interest in hacking some hardware pieces, but instead genuine knowledge interest in how it works, how to make do something it was not designed to do, etc. The other guys would just want to crack the safe, steal the goods, and get out.
  
  How is it that you would see a causation there? If some GeoHot supporters would break into Sony, I believe it would be best for them to only deface their website or stuff like that, maybe even point out their security flaws, publishing how easy it is to get credit card numbers and personal data, etc, but NOT stealing them, since that would backfire into precisely what Sony wants the general public to think of GH, that he is a "menace to society" in that his knowledge is used for evil.
  
  If anything, it's very bad that people make that connection, as it would put GH and the likes of him in a very bad light, which is exactly the opposite of what he advocates for (not piracy, but knowledge, etc). No?
  
  --
  Slashdot. Unreadable news to annoy nerds. - wonkey_monkey
7. Re:A lesson for companies by Abstrackt · 2011-05-03 02:49 · Score: 1
  
  My conspiracy theory is that this attack was being planned for a long time and that GeoHot just happened to make the perfect scapegoat. Now Sony, and a large part of the gaming community, has someone to focus their wrath on and there's very little to prove the two events aren't connected.
  
  --
  They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
8. Re:A lesson for companies by Gunstick · 2011-05-03 03:02 · Score: 1
  
  that's the reason it's often the hacker who gets slammed with lawsuits whereas the cracker goes on unnoticed.
  
  --
  Atari rules... ermm... ruled.
9. Re:A lesson for companies by eepok · 2011-05-03 03:13 · Score: 1
  
  Are you suggesting that millions of Sony Online Entertainment game subscribers over the past 4 years have pissed off a hacker? Because they're the ones that are going to get screwed, not SOE.
10. Re:A lesson for companies by eepok · 2011-05-03 03:16 · Score: 1, Insightful
  
  Get it right. Hackers attacked Sony (and SOE), but while their PR got hurt and they have to spend some money on some security consultants, it's the USERS (past and present) that will be experiencing the brunt of the damage.
  This is an attack on PEOPLE, not a company. If a company was the target, then corporate account information would have been hacked.
  Damn people blinded by the hip thing to hate...
11. Re:A lesson for companies by Hydian · 2011-05-03 03:28 · Score: 1
  
  You assume that there are "a bunch of hackers" instead of just one or a small team working together. I don't think that is the case here.
  You assume that this is a revenge hack, but the evidence does not support your contention. If it was a revenge hack, why was there no noise about it? We didn't get anything until Sony released some information. If it was a revenge hack, I would have expected to see data plastered all over the net before Sony even knew they were compromised. A revenge hack also wouldn't go as deep as this one obviously has or be as hard to trace. These guys have taken care to cover the extent of their intrusion (that or the people Sony brought in to investigate it are morons) and that wouldn't make sense if it was revenge. Revenge would also be something like taking the SOE game servers down, not quietly lifting all of the user data.
  Taking all of the user data and hoping nobody notices hurts a lot of people, but not Sony. I don't see the revenge angle in that.
  We also don't know when or how Sony was compromised. We only know when it was supposedly discovered.
12. Re:A lesson for companies by sempir · 2011-05-03 03:32 · Score: 1
  
  and BANKERS.........
  Know your customer......think before you dump on one........
  Do not not piss off a hacker.
  
  --
  A closed mouth gathers no foot.
13. Re:A lesson for companies by Anonymous Coward · 2011-05-03 03:32 · Score: 1
  
  The hacked PS3s had nothing to do with hacking PSN, that was just an unfounded rumor.
  I mean, seriously, you're suggesting that every development machine had access to millions of credit card numbers and any disgruntled third-party software developer could have accessed them at will even before the firmware keys got out.
14. Re:A lesson for companies by Aladrin · 2011-05-03 05:22 · Score: 1
  
  I didn't say they were all successful.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
15. Re:A lesson for companies by Tridus · 2011-05-03 05:52 · Score: 1
  
  It seems highly unlikely that people with the skill and sophistication to pull an attack this big off were nice guys until Sony was mean to GeoHot.
  More likely it's just a coincidence in terms of timing.
  
  --
  -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
16. Re:A lesson for companies by HiThere · 2011-05-03 07:44 · Score: 1
  
  People have all sorts of different models of the universe. In some of them the break-in is close to hardware hacking. In others it's quite distant. People with different models will react differently. And there are a LOT of people who noticed SONYs abusive behavior recently.
  So I wouldn't rule out the Grandparent's theory. It's not one that would have occurred to me, and I don't believe it, but it's not unreasonable. Remember, we're dealing with a large number of separate people with separate models.
  OTOH, commercial gain is probably the primary motivator
  I won't weep any tears for SONY, and while I'm sorry for their customers, I hope they learned a lesson about trusting abusive companies. (OTOH, I'm suspicious of even non-abusive companies. Anyone can get hacked, and many companies are a bit [i.e., very] lax on security.)
  FWIW, I tend to avoid financial transactions on the internet...but I don't avoid them completely, so I know I'm vulnerable. And so are you. Until pre-paid credit cards are available, that don't have any ties to other accounts, this danger will always be present. But both governments and companies have interests that are contrary to the anonymous use of credit. So I expect things to just get worse.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
17. Re:A lesson for companies by shutdown+-p+now · 2011-05-03 11:51 · Score: 1
  
  This is an attack on PEOPLE, not a company. If a company was the target, then corporate account information would have been hacked.
  If you wanted to severely damage Sony's reputation, what better way but to force them to acknowledge a major leak of sensitive customer data? Even more so, doing that once again for another separate database where previously they have claimed it to be secure?
  Leaking corporate info wouldn't have this effect. Even if it had some sleazy stuff, we're all so used to it we'd just have our two minutes of hate, yawn, and move on. But when people realize that their credit card info is leaked and can be abused, they tend to get mad and stay mad - at hackers, for sure, but at Sony as well.
  Meanwhile the actual hacker doesn't need to use the stolen data, or even to retain it, if the sole goal was to tarnish Sony rather than steal CCs.
  Not saying it's a right and proper way to do things, but I don't see it as improbable that someone would give it a try. As another comment in this story noted, we'll see which it is if and when there's widespread reports of CC fraud after this leak. So far I'm not aware of any claims that it's higher than usual, which kinda adds credence to the theory that this is purely an anti-PR campaign.
So hows that cloud thingie working for you? by Anonymous Coward · 2011-05-03 00:35 · Score: 1

It the way of the future!
1. Re:So hows that cloud thingie working for you? by capnkr · 2011-05-03 01:13 · Score: 1
  
  So, all your cloud base are belong to...?
  
  Actually, to thermal interaction with the planetary surface below them.
  
  No, it's not really meme material, but I was inspired by your broken Engrish.
  
  --
  "...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
Re:SOE? Give names please. by scrib · 2011-05-03 00:47 · Score: 3, Informative

Did you miss the first line of TFA?
"An anonymous reader writes with an update to yesterday morning's news that Sony Online Entertainment's game service..."
I think I'm getting a sense of what might be going wrong with high-frequency trading...

--
Help! Help! I'm being repressed!
Re:SOE? Give names please. by Spad · 2011-05-03 01:14 · Score: 2

Please, a true Slashdotter doesn't even finish reading the headline before posting.
Alternate view of the GeoHot fiasco by Anonymous Coward · 2011-05-03 01:16 · Score: 1

Everyone was too pissed off at Sony to stop and think for a second: MAYBE the reason behind the removal of "Other OS" and the gross over-reaction to GeoHot is because Sony realized that their entire operation had more holes than swiss cheese? It had very little to do with being control freaks or preventing homebrew: perhaps Sony has all this time been living with a faulty-by-design network and even "Other OS" could have exposed it?
1. Re:Alternate view of the GeoHot fiasco by Stupendoussteve · 2011-05-03 07:48 · Score: 1
  
  I think they realized Other OS caused security holes before they removed it from the consoles, after all it was never in the PS3 Slim though the hackers have demonstrated it wasn't a hardware limitation. They were obviously trying to quietly phase it out.
Re:SOE? Give names please. by capnkr · 2011-05-03 01:17 · Score: 1

That "PEE" you saw in your spaghetti-o's was apparently no abbreviation...

--
"...there are some things that can beat smartness and foresight. Awkwardness and stupidity can." ~ Mark Twain
Why am I getting contacted? by datavirtue · 2011-05-03 01:26 · Score: 1

I received an email from Sony Online Entertainment this morning for some reason. I have never given them my information for anything. Now I'm nervous.

--
I object to power without constructive purpose. --Spock
1. Re:Why am I getting contacted? by datavirtue · 2011-05-03 01:28 · Score: 2
  
  Nevermind...I didn't check the address. Just phishing.
  
  --
  I object to power without constructive purpose. --Spock
2. Re:Why am I getting contacted? by nitehawk214 · 2011-05-03 03:48 · Score: 1
  
  I got one too from soe.innovyx.net. I assume they got my email address from the account hack and are sending out phish emails.
  Nice try assholes. I will be resetting my credit card any how. And fat chance of SOE ever getting any payment from me again.
  
  --
  I'm a good cook. I'm a fantastic eater. - Steven Brust
Re:Free Credit Monitoring is SOCIALISM by tekrat · 2011-05-03 01:39 · Score: 2

First of all, you need to remember who's running this country, and it's not us. It's big corporations like Sony. They can essentially screw of all of us with impunity and if they go to far, the government gives them a slap on the wrist as a show of good faith to the people.
Consider the SEC. When they fine some trading company $20million for some illegal trading activities, do you really think that's a big deal? Of course not because they company made $100 or $200 million doing the illegal trade. To them, the fine is a cost of doing business. It's the kickback to their partner in crime, the government.
You're not going to get much out of Sony. And the government won't force much out of Sony. You have only one way of controlling this issue, and that's to vote with your wallet and stop buying *anything* connected to Sony. That means even carefully picking what movies you see this summer.
Only if Sony was to suffer considerable losses by people abandoning them en masse would they ever get the hint. But as long as they are profitable, they can continue to screw their customers, because their customers keep buying their shit. It's like you WANT to be tortured.

--
If telephones are outlawed, then only outlaws will have telephones.
SWG Just got worse by D66 · 2011-05-03 01:43 · Score: 1

Amazing how you could quit SWG out of post NGE Disgust and still get nailed.
Requesting new credit card numbers annually by whovian · 2011-05-03 01:50 · Score: 1

should probably become the norm, not only after a fraud attempt is noticed/reported.

--
To-do List: Receive telemarketing call during a tornado warning. Check.
BOYCOTT SONY by tekrat · 2011-05-03 01:51 · Score: 1, Troll

So, when are all you losers going to wake up?
Sony just wanted your money, they don't give a crap about you, your rights to privacy, or even making an attempt at keeping your data secure.
If you purchased a Sony product in such a way that they've got your credit card number, you're at risk, and it doesn't seem to matter since when; since the beginning of Sony on the Internet. Hopefully, those of you using Sony Online since the days of the Playstation (one), only have expired credit cards to worry about, but anyone who has used Sony recently is at more risk.
Throw out your Playstation 3. NEVER AGAIN purchase a Sony Product, do not buy their records, do not watch their movies, do not buy their headphones, MP3 players, e-book readers, or any of their other trash.
YOU MUST SEND A MESSAGE: I suggest even writing to Sony if you're their customer and TELL THEM that you are boycotting their products and you are advising your family and friends to do the same.
You *can* live without their crap. Surprisingly, there's a world out there. With trees, grass, flowers, and girls. Put down the controller, sir, and step away from the TV.

--
If telephones are outlawed, then only outlaws will have telephones.
1. Re:BOYCOTT SONY by kannibal_klown · 2011-05-03 02:13 · Score: 2
  
  So, when are all you losers going to wake up?
  Sony just wanted your money, they don't give a crap about you, your rights to privacy, or even making an attempt at keeping your data secure.
  Personally I'm more annoyed at the people that performed the hack than Sony. Granted Sony has lost what little company loyalty I had, I already stopped buying most of their products.
  But in this case is the perpetrators that make me angry. It's one thing to screw with a company, it's another to screw with the average Joe that just wanted to play the latest Ratchet and Clank episode.
  Name, address, birthdate, credit card number... that's more than enough for identity theft. Meaning not only do I need to take emergency steps on top of my pro-active steps, but I have the extra worry if it will be used.
  If this was flat-out theft, then that stinks.
  But if this was about "fighting the man," then what's the point of fighting "the man" if you trample all over the little guys to do it.
2. Re:BOYCOTT SONY by blair1q · 2011-05-03 06:55 · Score: 1
  
  >Sony just wanted your money
  Sony's one of those Japanese companies with a 500-year plan. They don't just want your money once, they want you carving pieces off yourself for them for generations. Brand-loyalty is a key to that strategy. Being oblivious, inconsiderate, exploitative fucktards is not. That's Ballmer's gig.
  >or even making an attempt at keeping your data secure
  Given the opportunities for abuse of their online gaming systems, they have put in place rather serious internet security controls. It appears it took inside intervention for this breach to occur. Which means they did good when it comes to the internet part of their security, but not so good when it comes to the human-factors part of their security. But then, even the governments of the world are vulnerable to time-variable human factors.
  >You *can* live without their crap.
  Sure. And I can live without yours, too.
3. Re:BOYCOTT SONY by Stupendoussteve · 2011-05-03 07:51 · Score: 1
  
  More that enough for ID theft?
  That's information stored in most Facebook accounts, except for the CC number which is easily changed and customers aren't liable for anyway.
4. Re:BOYCOTT SONY by Lisandro · 2011-05-03 07:56 · Score: 1
  
  Why "troll"? He's got a great point. The only way to send a message to huge corporations like Sony is to vote with your wallet.
Great timing! by rsilvergun · 2011-05-03 01:53 · Score: 3, Interesting

I love the way corporations do this, just wait for a big news story (Osama's dead) and then start releasing the full extent of the disaster. The same principle worked for the cigarette companies. They were set to be torn apart of lying about the dangers of smoking and genetic modification to increase addiction, then along came 9/11 and all was forgetting. All you got to do is stonewall until a bigger problem comes along.

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
1. Re:Great timing! by DarkOx · 2011-05-03 05:09 · Score: 1
  
  They call it "crisis communications" for a reason I guess.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
2. Re:Great timing! by Anonymous Coward · 2011-05-03 06:23 · Score: 1
  
  You have a point, I think Obama is on Sony's payroll and they asked him to stir up something big to draw attention away from them!
Re:Phishing? already? by muridae · 2011-05-03 01:54 · Score: 1

Yup, a friend of mine had played Everquest a while ago, and woke to find that email waiting. Who ever sent it knew what addresses were used for SOE games, and targeted them directly.

Looks like innovyx might have taken it down already, thankfully.
Sony Blu-Ray Player by Sir_Eptishous · 2011-05-03 02:26 · Score: 3, Interesting

So if I bought a Sony Blu-Ray player a while back, and had to create an account on their site to "access" the device, it appears that account I created has been compromised.

--
We play the game with the bravery of being out of range
1. Re:Sony Blu-Ray Player by blair1q · 2011-05-03 06:49 · Score: 1
  
  Aha!
  Yes. Of course. If they're into the blu-ray and warranty databases, that explains how I got spammed:
  http://yro.slashdot.org/comments.pl?sid=2121626&cid=36014248
This comic panel best describes Sony by xQuarkDS9x · 2011-05-03 02:33 · Score: 1

Sony's method of protecting private data!
http://www.vgcats.com/comics/?strip_id=302

--
You must master your joystick like a fisherman masters bait! - Gimpy
Change your passwords ASAP. by elucido · 2011-05-03 02:34 · Score: 1

This will only get worse unless everyone who has done any business with Sony changes their passwords to all other accounts.
Each account to each website must have a unique password. Password re-use is what hackers depend on to leverage their attacks.
This can and will only get worse until users compartmentalize. One unique password per account always.
1. Re:Change your passwords ASAP. by Stupendoussteve · 2011-05-03 07:56 · Score: 1
  
  This will only get worse for as long as websites and the internet as a whole depend on passwords. It is impossible for most users to remember multiple unique passwords for the important sites they go to, let alone the hundreds they would need for every time they wanted to comment on CNN or some blog. Sure, there are password managers, but most either aren't that secure or take users knowing that they should use one.
  I cannot wait for openid and similar services to really take off. It's much easier to work with and have better security at the same time. Kudos to Google and even Facebook for moving in a direction where you can use them for authentication.
Encryption? by s31523 · 2011-05-03 02:43 · Score: 1

I keep hearing about intrusions that result in data theft, including credit card numbers, etc. Can someone tell me why on earth this information is being stored as plain-text and not as encrypted files? Unless of course the data is encrypted and the passphrases are stored in open-text files with a filename of "password_to_our_files.txt"
1. Re:Encryption? by Anonymous Coward · 2011-05-03 03:04 · Score: 1
  
  You shouldn't be too hard on Snoy - I believe this is their first foray into Open Source. I will be the first to admit that it needs work.
Schadenfreude by Chas · 2011-05-03 03:16 · Score: 1

While I take no pleasure in the fact that people's financial data has been compromised, my intense dislike of Sony and its business practices is severely inhibiting my ability to wipe an evil little grin off my face.

--

Chas - The one, the only.
THANK GOD!!!
Re:Phishing? already? by HermMunster · 2011-05-03 04:31 · Score: 1

I've used Sony Online Entertainment for a decade. I generally do not purchase new Sony products. I have yet to receive anything from Sony indicating that my information may have been stolen. I know they have my correct email because I recently contacted them and they replied to me. I would be weary of anything sent to you. You should ensure you verify the "party" sending you the notices.
Aside from that, I do find it a bit disingenuous that Sony is making a PR announcement that basically says that "your information may have been stolen so we shut down the services", and go to the credit card service bureaus if you have further questions about your credit history. I don't like this because 1) an annual credit report won't flag this as you only get it once a year, and 2) everyone should already know they have an annual credit report entitlement so they are just telling us something we (should) already know.
So, for me reading that I am thinking "wow, this irresponsible company let 77 million people's personal identifying information out into the wild and the best they can come up with is to tell us to check with the credit reporting agencies. That that is nothing more than an effort to pass off part of the obligation "owed us" for what happened".
Further, Sony indicates they'll help you get in contact with an identity theft protection company to help you protect yourself. That does little now (and as a matter of fact, they aren't going to pay for it, they are just going to point you in that direction).
Everyone should be real weary of a company that tries such disingenuous tactics to offload responsibility from themselves.
And, finally, 77 million people's personally identifying information from the US (roughly)? Well, there are 300 million people in the US comprised of about 100 million families. The potential is that they have provided the credit card, address, phone number, email addresses of nearly 3/4 of American families to cyber criminals to do what they will and leaving responsibility for cleaning that up to the credit agencies and you (by introducing you to an identity theft protection scam).
This is an incredibly important breach that should not be put off so lightly.

--
You can lead a man with reason but you can't make him think.
Re:Just wondering (don't think so) by tekrat · 2011-05-03 05:24 · Score: 2

Really? Then why haven't we seen any massive credit card fraud yet? Sony is claiming at over 10 million CC numbers were "stolen" and that was from a hack done more than 2 weeks ago.
If these were career criminals, why haven't we yet seen the horror stories of millions of dollars of goods shipped to Romania, with average joes holding the bag on the bill?
And why target Sony? Amazon would have far more data, as well as Facebook. Or, hack Microsoft's Xbox network which has more users in the USA. Why wasn't Nintendo targeted?
And if you're going to say that the perpetrators somehow knew that Sony's security was weak, then you're pointing to an inside job.
Sony appears to have been targeted because they are a bunch of douches. And judging by the low level of fraud so far, I'd say that the hackers are showing some restraint about harming the average joe while doing massive damage to Sony's image.
That doesn't sound career criminal to me, that sounds like vengeance from the user community after "Other OS" was removed.
Notice how the PS3 ads are off TV? They need to change their slogan to "It only does nothing".

--
If telephones are outlawed, then only outlaws will have telephones.
Re:BOYCOTT CORPORATE AMERICA by subreality · 2011-05-03 05:45 · Score: 1

So, when are all you losers going to wake up?
Corporate America just wanted your money, they don't give a crap about you, your rights to privacy, or even making an attempt at keeping your data secure.
If you purchased an American product in such a way that they've got your credit card number, you're at risk, and it doesn't seem to matter since when; since the beginning of the credit card. Hopefully, those of you using goods and services since the 1960s, only have expired credit cards to worry about, but anyone who has used credit cards recently is at more risk.
Throw out your modern toys. NEVER AGAIN purchase any products, do not buy their records, do not watch their movies, do not buy their headphones, MP3 players, e-book readers, or any of their other trash.
YOU MUST SEND A MESSAGE: I suggest even writing to the President of the United States if you're their customer and TELL THEM that you are boycotting their products and you are advising your family and friends to do the same.
You *can* live without their crap. Surprisingly, there's a world out there. With trees, grass, flowers, and girls. Put down the controller, sir, and step away from the TV.
Re:BOYCOTT CORPORATE AMERICA by subreality · 2011-05-03 05:53 · Score: 1

All jest aside, I never expected Sony to care about me, but I have been surprised by how brazenly customer-hostile they are. I have been boycotting Sony and spreading the word about just how crappy they are for the last several years.
Will the PS4 be cancelled? by Animats · 2011-05-03 05:55 · Score: 1

With Sony in so much trouble, with a loss of credibility, and with the Japanese semiconductor industry somewhat disrupted,will the PS4 be cancelled?
1. Re:Will the PS4 be cancelled? by Stupendoussteve · 2011-05-03 07:57 · Score: 1
  
  Doubt it. If you read the Sony blog comments, the majority of customers only care when the services are back up, not about the breach itself.
How did Sony get 0wned? by Anonymous Coward · 2011-05-03 06:20 · Score: 4, Insightful

After Sony's initial admission of the PSN breach, a lot of people pointed fingers of blame at the PS3 hackers without so much as a shred of evidence either way.
Now that it appears SOE was also penetrated at approximately the same time, I think it's fair to ask just where the penetration occurred, how much customer data was accessible across Sony's networks, and what (if any) internal safeguards were supposed to be in place. There could be multiple penetrations through several vulnerable points, but this looks even more coordinated and planned than initially suspected. If Sony hasn't investigated IT employees, it's time to start -- at minimum, someone has loose lips or careless behaviour. At worst, someone sold them out.
Re:Just wondering (don't think so) by theArtificial · 2011-05-03 06:41 · Score: 1

Really? Then why haven't we seen any massive credit card fraud yet? Sony is claiming at over 10 million CC numbers were "stolen" and that was from a hack done more than 2 weeks ago.
Perhaps there is a delay because reports will come from individuals not a massive company.

If these were career criminals, why haven't we yet seen the horror stories of millions of dollars of goods shipped to Romania, with average joes holding the bag on the bill?
Banks are pretty good at looking after their money. Haven't you ever had them contact you about suspicious purchases? I know of two people who have had multiple thousand dollar charges on their credit cards due to this. Interestingly enough one charge was at an Apple store for around $5000 which he joked would probably buy them two Ipads. The other works for Sony... go figure.

And why target Sony? Amazon would have far more data, as well as Facebook. Or, hack Microsoft's Xbox network which has more users in the USA. Why wasn't Nintendo targeted?
Perhaps how the hack was pulled off would shed some more light on this. Baseless speculation: Perhaps it has something to do with implicit trust of the client...

That doesn't sound career criminal to me, that sounds like vengeance from the user community after "Other OS" was removed.
" You mean that feature that was included so the PS3 could be classified as a computer to get it into certain countries under a different tax status which ultimately failed and they subsequently removed?

Notice how the PS3 ads are off TV? They need to change their slogan to "It only does nothing".
It only does identity theft.

--
Man blir trött av att gå och göra ingenting.
I've actually seen spam related to this by blair1q · 2011-05-03 06:47 · Score: 1

I couldn't tell if the spam was a result of an account of mine being revealed by Sony (I don't even recall having one, but who knows in this age of demanding accounts be created to access basic information at every website) or if the spammer was merely spoofing having the information. They used "playstation.sony.com" as the hostname in their certainly phony email address, so they're intimating something.
The email consisted of a few random characters (letters and digits) in the subject and a couple mroe in the body. Almost certainly a bounce-test. Likeley winnowing the database to improve its price on the market.
But, anything that can be bounce-tested can be traced to its source. I say we send in the SEALs when they get back from their two-week hookers, booze, and cigars mission.
Re:Phishing? already? by Stupendoussteve · 2011-05-03 07:47 · Score: 1

77 million is worldwide, not in the US (Xbox Live is only 25-30 million worldwide, and it's considered more popular in the US). Sony has already stated they will be helping with identity theft protection services, though what kind of assistance they will be providing is unknown at this point.
Oblig: Star Wars line ... by RockDoctor · 2011-05-03 19:36 · Score: 1

I feel a disturbance in The Force ....
Like a million souls crying out
"This is no surprise."
(You can tell that I'm not a great SW fan.)

--
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Institutional Stupidity or Laziness by Mephistophles · 2011-05-04 03:28 · Score: 1

PCI/DSS standards clearly dictate that all customer data, when "at rest" (i.e. on disk, in a database, etc.) needs to be encrypted: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf: "Do use strong cryptography to render unreadable cardholder data that you store, and use other layered security technologies to minimize the risk of exploits by criminals" That Sony (and all the other businesses and institutions that have been hacked, left laptops to be stolen, etc.) doesn't do this is inexcusable. Had this data been properly encrypted, it would have been unusable to anyone. It's trivial to incorporate this encryption as a part of the design.