Slashdot Mirror
Sony Breach Gets Worse: 24.6 Million Compromised Accounts At SOE
An anonymous reader writes with an update to yesterday morning's news that Sony Online Entertainment's game service was taken offline to investigate a potential data breach related to the PSN intrusion. SOE has now said that they too suffered a major theft of user data.
"... personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain."
They are just pissed that somebody stole a lot of personal data, and took over a bunch of computer systems, and it wasn't them.
All of those folks who decided to boycott Sony over any one of the rootkit fiascoes should be feeling a bit superior right now.
Hey guys, let's keep around credit/debit card billing data from 2007 all online. Deleting it after 6 months of inactivity could hurt sales!11! There's no cost to keeping it around, nothing that would pass an accountant anyway. Let's pay ourselves a bonus for our forward thinking.
I haven't played everquest since 2002 and I got a notice. Luckily for me all that credit card information is outdated and wrong. Event the mailing address is wrong. How someone was able to access this data is beyond me. I cannot, for any reason, think of any justification Sony could have to store something in a manner that a developer could access at this level.
Sony is going to have one hell of a class action lawsuit in it's hands.
At this point, I'm almost surprised the password wasn't stored in plain text. Then again, given the magnitude of the breach, I'm betting on it not being very hard to break the hashed password.
Fear is the mind killer.
If the person who stole the SOE accounts could get in contact with me, I've been trying to reset my SOE password for 2 months now, and it hasn't worked. Could you tell me what my password is?
I've actually seen a surprisingly lack of "I told you so". I figured it would be every second comment at this point...
LOL! I'm with you there. I have a PS3, I plugged it into the net. Halfway through reading the Sony online licence agreement I unplugged it vowing never to plug it in again. I don't recall what it was that set me off exactly, it was years ago, but I haven't changed my mind.
A journalist friend of mine has suggested the possibility that Sony is staging this "hacker" attack as a fortuitous propaganda stunt to make hackers look bad and possibly cover up a real infrastructure problem caused by Sony itself.
Can't say it doesn't sound reasonable, after all, they are capable of writing and distributing viruses.
This is very wrong. As far as anyone can know there is no correlation between the GeoHot affair and this one. Also if that personal data is exposed it'd harm large parts of that same comunity. Unless this id theft was organized only to prove a point (which is very very unlikely imo), this is no more that a plain theft. As in made by criminals. Only upside is that it exposed security issues, maybe as a lesson for the future. Or maybe not.
Did you miss the first line of TFA?
"An anonymous reader writes with an update to yesterday morning's news that Sony Online Entertainment's game service..."
I think I'm getting a sense of what might be going wrong with high-frequency trading...
Help! Help! I'm being repressed!
I haven't done business with Sony Online Entertainment at all for over a decade, and I'm apparently effected. I subscribed to Everquest way back in the day, but dropped somewhere around 2001. I just yesterday got an email from them that my personal information had been lost. So, don't feel so superior...even if you started boycotting them over the rootkits, they kept your information from before then, and then lost it to hackers.
Of course they are! The only thing that out numbers Slashdot community member's tin foil hats is their feeling of superiority and smugness! (I'm only half joking)
"Our opponent is an alien starship packed with atomic bombs. We have a protractor."
Please, a true Slashdotter doesn't even finish reading the headline before posting.
So is death, what is your point?
Be Aware, Protect, Defend. This has not changed since Man has become self aware.
I'm one of those who have been boycotting Sony since the rootkit fiasco but I'm not going to get preachy about it. For me, it's not some kind of crusade to get them to mend their ways or die, it's actually rather pure self-interest - I just know that they can't screw me over. I do wish a few more people would take note and Sony would mend their ways as a reaction. They used to be a decent company, their hardware was always top notch and I loved the PS1, it's just a bit sad to see them go down this route of profit above all.
Belong too? Another victim of Muphry's Law.
Seven puppies were harmed during the making of this post.
A journalist friend of mine has suggested the possibility that Sony is staging this "hacker" attack as a fortuitous propaganda stunt to make hackers look bad and possibly cover up a real infrastructure problem caused by Sony itself.
While it makes *some* sense, I don't buy it.
My feeling is that this whole fiasco is hurting Sony's bottom line more than the whole hacker-awareness / scapegoat thing could even provide in the long-term.
They're losing a lot of customer trust and customer loyalty, and I have to assume this is hurting their stock price. Once is a shame, twice (so close together) is a disaster.
While it's true that companies probably want to shine a large spot-light on hackers, identity theft, etc there has to be some risk management. If this were true, then Sony is performing a kamikaze with way too many aspects to be worth it even in the long term.
Nevermind...I didn't check the address. Just phishing.
I object to power without constructive purpose. --Spock
A journalist friend of mine has suggested the possibility that Sony is staging this "hacker" attack as a fortuitous propaganda stunt to make hackers look bad and possibly cover up a real infrastructure problem caused by Sony itself.
While it makes *some* sense, I don't buy it.
Agreed. It just does not sound plausible. Sometimes it's fun to attribute stuff like this to some scheming corporate overlord, sometimes what appears to be poorly handled public relations nightmare is, in fact, a poorly handled public relations nightmare.
First of all, you need to remember who's running this country, and it's not us. It's big corporations like Sony. They can essentially screw of all of us with impunity and if they go to far, the government gives them a slap on the wrist as a show of good faith to the people.
Consider the SEC. When they fine some trading company $20million for some illegal trading activities, do you really think that's a big deal? Of course not because they company made $100 or $200 million doing the illegal trade. To them, the fine is a cost of doing business. It's the kickback to their partner in crime, the government.
You're not going to get much out of Sony. And the government won't force much out of Sony. You have only one way of controlling this issue, and that's to vote with your wallet and stop buying *anything* connected to Sony. That means even carefully picking what movies you see this summer.
Only if Sony was to suffer considerable losses by people abandoning them en masse would they ever get the hint. But as long as they are profitable, they can continue to screw their customers, because their customers keep buying their shit. It's like you WANT to be tortured.
If telephones are outlawed, then only outlaws will have telephones.
I would lay my bet on "Sony doesn't want to tell anyone how bad it is" until they are required to do so. This is very much the same pattern of behavior we see with the Fukushima nuclear plant. Please believe me when I say that this behavior is quite typical of Japanese companies. It is not "diabolical" as you may think but is instead considered "wise" not to share information that is not required and may be potentially damaging to the company.
But to Sony I say "FEAR YOUR CUSTOMERS." You are not in control as much as you seem to think you are. They control the dollars in their pockets (though not necessarily those in their bank or credit accounts as you well know) and they choose what they buy from you. And when you make them angry, and you never know exactly who are are making angry, these anonymous customers, you just might make some who are dangerous to you very angry in the process.
I am guessing that this is a very focused attack on Sony. Was it because of their shoddy products? Their involvement in the recording industry? Their abuse of customers in general? It could be any or all of these things or more. So yeah, Sony... you forgot "the customer is always right" and that happy customers are your best customers.
And if other companies haven't figured out by now, "you are next" if you don't start taking care of your customers and keep abusing them as you do. I am speaking to AT&T, Verizon and any other company that is known for being abusive to customers. Just wait and see.
I'm just glad I pulled away from Sony so long ago. I didn't have much if any data at risk this time around, so I'm good to go for now. It's all good entertainment for me at the moment.
I love the way corporations do this, just wait for a big news story (Osama's dead) and then start releasing the full extent of the disaster. The same principle worked for the cigarette companies. They were set to be torn apart of lying about the dangers of smoking and genetic modification to increase addiction, then along came 9/11 and all was forgetting. All you got to do is stonewall until a bigger problem comes along.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Cancelling your card is NOT the same as cancelling the service that you way paying for with the card.
They may just send the debt collectors around instead.
if you want to cancel a service, make sure you do just that. Cancelling the card is good too, in case they don't manage to stop taking payments, but it's not a substitute.
blog.sam.liddicott.com
So, when are all you losers going to wake up?
Sony just wanted your money, they don't give a crap about you, your rights to privacy, or even making an attempt at keeping your data secure.
Personally I'm more annoyed at the people that performed the hack than Sony. Granted Sony has lost what little company loyalty I had, I already stopped buying most of their products.
But in this case is the perpetrators that make me angry. It's one thing to screw with a company, it's another to screw with the average Joe that just wanted to play the latest Ratchet and Clank episode.
Name, address, birthdate, credit card number... that's more than enough for identity theft. Meaning not only do I need to take emergency steps on top of my pro-active steps, but I have the extra worry if it will be used.
If this was flat-out theft, then that stinks.
But if this was about "fighting the man," then what's the point of fighting "the man" if you trample all over the little guys to do it.
So if I bought a Sony Blu-Ray player a while back, and had to create an account on their site to "access" the device, it appears that account I created has been compromised.
We play the game with the bravery of being out of range
Sony did mend their ways. After the rootkit fiasco for sure, but after most of the other bonehead moves as well. They apologized and promised to do better and all that, like they all do.
But, like they all do, over time the same forces that led them to this will lead them there again. Corporate structures being what they are it simply isn't possible to communicate an intangible risk like 'what if a hacker breaks in and copies all our data' well enough to garner the kind of funding to implement real security. At least not at a company the size of Sony. And certainly their users have proven that at every turn they are willing to sacrifice security for convenience and price and features. This site has a Sony gaffe poll on the front page, and the readership is better educated about tech issue than most, yet how many PS3s per capita do you think there are here?
So Sony has little motivation to really change and I doubt they are alone in having lax security.
I am looking forward to the show they will put on after this is over. Figure they will hire Bruce Scheiner and Theo DeRaadt. Fireworks. Maybe a hovercraft pulls up to Sony HQ and the team that took Bin Laden pours out, sets up a perimeter. Sony's CEO stomps onto the stage in a mecha and declares war on hackers. It is going to be amazing.
"Sacrifice for the good of The State" - The State
What's really funny is that this whole fiasco would have never happened if Sony hadn't decided to disable the OtherOS function on existing PS3s. This led to hackers breaking open the PS3, which hadn't happened so far because the people who were capable of such feats were happy with OtherOS - and then, it seems that with hacked PS3s, the Sony Online servers were hacked relatively quickly.
Just imagine - if they hadn't pulled that crap with OtherOS, the PS3 could probably have gone unhacked until it was retired and replaced with the next generation Sony console.
So our choices are, "It's those nasty, evil, hackers... taking advantage of Sony's (obviously) inadequate security"... or "It's Sony's (obviously) inadequate security... attracting those nasty, evil, hackers." Meh. Either way, Sony blew it, and doesn't deserve to be trusted anymore. We should have learned with the whole rootkit fiasco, but we do like our gaming... apparently more than our credit cards.
wow man that's harsh. you're saying that if a company doesn't give you good customer service, then somebody will hack the company, steal millions of account records, and cause millions if not more in damages and lost business?
If he's not, I will: yes, that's exactly correct. When companies piss enough people off, someone goes gunning for their servers. Neither erroneus nor I are claiming that this is the correct, moral, or legitimate response, just that it's a likely outcome. Sony and their peers have worked hard to remove all legitimate means of redress, and now people are pursuing the only avenues left open to the average guy without a few megadollars to futilely pursue them in court. What else would you expect to happen, really?
Dewey, what part of this looks like authorities should be involved?
Really? Then why haven't we seen any massive credit card fraud yet? Sony is claiming at over 10 million CC numbers were "stolen" and that was from a hack done more than 2 weeks ago.
If these were career criminals, why haven't we yet seen the horror stories of millions of dollars of goods shipped to Romania, with average joes holding the bag on the bill?
And why target Sony? Amazon would have far more data, as well as Facebook. Or, hack Microsoft's Xbox network which has more users in the USA. Why wasn't Nintendo targeted?
And if you're going to say that the perpetrators somehow knew that Sony's security was weak, then you're pointing to an inside job.
Sony appears to have been targeted because they are a bunch of douches. And judging by the low level of fraud so far, I'd say that the hackers are showing some restraint about harming the average joe while doing massive damage to Sony's image.
That doesn't sound career criminal to me, that sounds like vengeance from the user community after "Other OS" was removed.
Notice how the PS3 ads are off TV? They need to change their slogan to "It only does nothing".
If telephones are outlawed, then only outlaws will have telephones.
After Sony's initial admission of the PSN breach, a lot of people pointed fingers of blame at the PS3 hackers without so much as a shred of evidence either way.
Now that it appears SOE was also penetrated at approximately the same time, I think it's fair to ask just where the penetration occurred, how much customer data was accessible across Sony's networks, and what (if any) internal safeguards were supposed to be in place. There could be multiple penetrations through several vulnerable points, but this looks even more coordinated and planned than initially suspected. If Sony hasn't investigated IT employees, it's time to start -- at minimum, someone has loose lips or careless behaviour. At worst, someone sold them out.