Forgot your password?
typodupeerror
Sony Privacy Security

77 Million Accounts Stolen From Playstation Network 645

Posted by CmdrTaco
from the oh-yeah-this'll-be-fine dept.
Runaway1956 was one of many users to continue to update us about the intrusion we've been following this week. "Sony is warning its millions of PlayStation Network users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts. Sony's stunning admission came six days after the PlayStation Network was taken down following what the company described as an 'external intrusion'. The stolen information may also include payment-card data, purchase history, billing addresses, and security answers used to change passwords, Sony said on Tuesday. The company plans to keep the hacked system offline for the time being, and to restore services gradually. The advisory also applies to users of Sony's related Qriocity network."
This discussion has been archived. No new comments can be posted.

77 Million Accounts Stolen From Playstation Network

Comments Filter:
  • steals everything.
  • passwords? (Score:5, Insightful)

    by jaymz666 (34050) on Wednesday April 27, 2011 @11:02AM (#35952952)

    Seriously? They were storing passwords in a way that could be unencrypted?

    • Sad face :/ I guess I should cancel my credit card too.

    • by fuzzyfuzzyfungus (1223518) on Wednesday April 27, 2011 @11:15AM (#35953166) Journal
      My DARE officer told me that hash is illegal, and my health teacher says that salt causes high blood pressure...
    • Might not be bad... (Score:4, Interesting)

      by Junta (36770) on Wednesday April 27, 2011 @11:20AM (#35953242)

      There are two schools of thought here...

      If the passsword is stored as a hash on the server, then it is more resistant to attacks against the storage of the server. However, this does require the password be transmitted over the wire in one way or another on every connection. A man-in-the-middle attack with ip spoofing or dns cache poisioning has a non-trivial shot at compromising the password.

      If the password is stored 'in the clear' on the server side and treat the password as a shared secret, then *if* you design the authentication right, you render man in the middle infeasible with the tradeoff of storage attack being a large exposure. A common scheme is to have client have a packet, concatenate with the password, calculate hash, then strip password before transmit. Server then repeats calculation and only accepts payload if secret matches. Usually, server responses are protected the same way, meaning only the server you *meant* to talk to can meaningfully respond because it needs your password to calculate correct hash responses.

      All that said, it's also entirely likely that Sony has crypted hash passwords, but it's safer to say 'your password is compromised', because of how many users have passwords like 'yourmom65' rendering the hashing pointless.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        actually, you can store the password as a hash _and_ not transmit it in clear for authentication...

        1. server has hashed pw + salt1
        2. server randomly generates salt2, sends salt1 and salt 2
        3. client calculates x == hash(hash(pw, salt1), salt2)), sends it to server
        4. server calculates hash(hashed pw, salt2) and compares to x

        result: server has hashed pw and pw is never transmitted in clear...

      • by traindirector (1001483) on Wednesday April 27, 2011 @11:36AM (#35953486)

        If the password is stored 'in the clear' on the server side and treat the password as a shared secret, then *if* you design the authentication right, you render man in the middle infeasible with the tradeoff of storage attack being a large exposure.

        And why couldn't a hash of the password be used as a shared secret? As long as the client can do the hashing, I see no reason the hash couldn't be used in place of the original password.

        As a potential answer to my own question, maybe they wanted to make sure their log in form would work on a web browser without scripting.

        • by Junta (36770)

          Because then the 'hash' becomes the 'password' for all intents and purposes, bringing you right back to square one: your password is stored 'in the clear' on the server. Even if not keyboard friendly, an attacker gives not much of a rat's ass about that detail.

      • by bigjocker (113512) *

        This is nonsense. You can double hash passwords. That's the correct way:

        plaintext: 1234
        salt: xyz
        salt+plaintext hash: opqr
        you store on DB: xyz-opqr

        when the user requests the login page, the server creates a new salt, stores it in the session (server side) and sends the two salts to the client (session one and DB one):

        server extracts salt from DB: xyz
        server creates a session salt: abc
        client receives session salt: abc
        client receives DB salt: xyz
        user enters password: 1234
        client hashes using DB salt: opqr
        1st has

  • DRM (Score:3, Funny)

    by UninformedCoward (1738488) on Wednesday April 27, 2011 @11:02AM (#35952962)

    Hows that online requirement DRM working out for you guys?

    ~UC

  • by elrous0 (869638) * on Wednesday April 27, 2011 @11:03AM (#35952970)

    They're calling it an "unexpected mass friendship opportunity."

  • SonyDownhill (Score:3, Interesting)

    by thestudio_bob (894258) on Wednesday April 27, 2011 @11:04AM (#35952974)

    Gee, Sony just catch a break lately. I'm wondering if they are going to be asked to appear before the US Senate to explain their actions, just like Apple and Google? I think this is a little more serious than just tracking my phone location.

  • Unencrypted = Stupid (Score:5, Informative)

    by Bloodwine77 (913355) on Wednesday April 27, 2011 @11:04AM (#35952978)
    It amazes me that a company as large and established as Sony would make such a boneheaded move as storing sensitive information in plaintext. Passwords and answers to secret questions should always be hashed. Credit card information and other sensitive information should be encrypted (preferably AES-256 or stronger).
    • by drinkypoo (153816) <martin.espinoza@gmail.com> on Wednesday April 27, 2011 @11:07AM (#35953028) Homepage Journal

      We need laws for this crap now. Someone doesn't even try to use adequate obfuscation, they are accessories. Specifically, for protection of SSNs (yes I know the fact that they are good for so much is stupid, but we live in reality) and credit card numbers, and anything else equivalent.

      • by Anonymous Coward on Wednesday April 27, 2011 @11:48AM (#35953682)

        Yes, I trust Congress to make laws that will cause secure implementations to be made.

        Remember, these are the guys who can't make a tax code that requires companies to actually pay _any_ tax on billions of dollars' of income.

    • by 0123456 (636235) on Wednesday April 27, 2011 @11:07AM (#35953030)

      Why are you surprised that big companies would do stupid things? Particularly one who thought that installing rootkits on peoples' computers when they played a CD was a pretty darn cool idea?

    • by alen (225700)

      Engineer - yes we can make it secure, we just need another 3 months to code and test it

      PHB - no way, XBL is kicking our a$$. we release tomorrow. we'll just add a firewall and use the cloud to secure the data

    • I'm assuming that the credit card portion of the system had to pass PCI DSS tests, which would presumably mean some form of encryption in use. Presumably, though, it didn't preclude some sort of boneheaded-but-efficient(since, after all, PSN CC information would presumably be being retrieved a lot for casual game purchases and the like) storage of the keys/credentials in some vulnerable spot.
    • by Random2 (1412773)

      RTFA?

      Likely does not mean certainty. Stop hyping speculation.

    • by blueg3 (192743)

      Passwords should be stored as hashes, yes. Answers to secret questions can only really be stored as hashes if you insist on people reproducing spelling, capitalization, and punctuation accurately and you don't intend to use the secret questions for over-the-phone authentication. Other sensitive information can be encrypted, but obviously an automated system that *uses* that information must have access to the encryption key necessary to decrypt the data. Sure, you can have your database and the system that

      • by _0xd0ad (1974778)

        Answers to secret questions can only really be stored as hashes if you insist on people reproducing spelling, capitalization, and punctuation accurately and you don't intend to use the secret questions for over-the-phone authentication.

        Spelling - yes; but capitalization and punctuation can just be ignored. Strip punctuation, convert to all-lowercase, then hash.

    • by rsmith-mac (639075) on Wednesday April 27, 2011 @11:26AM (#35953338)

      To give Sony all the credit they deserve (however little it is), the sensitive records like passwords probably weren't stored in plaintext.

      It's standard operating procedure at most companies to treat any data breaches as if the data was plaintext and will be immediately exploited. Once the hackers have taken the data, you have no way to tell if they have a way to decrypt/reverse it or not, so you simply assume they do.

      At the same time.almost no one feels like explaining to users what password hashes are and why their data is probably safe, so the public announcements always reflect the assumption above and present the worst case scenario to users, and maybe encryption is mentioned somewhere. Whether the data was decrypted or not, if you say it was then you've covered your ass. It's not as if most laypeople believe that the encryption will hold anyhow.

      In short, Sony's pretty damned stupid, but whether anything was encrypted or not they're going to treat it as if it wasn't, and their warnings are going to reflect that. Just because they aren't talking about it being encrypted doesn't mean it was stored in plaintext. The resolution is the same either way: assume the bad guys have it in plaintext form, and watch your credit reports.

    • by Junta (36770)

      Passwords and answers to secret questions should always be hashed

      Does approximately zero good if 90% of your users have trivial passwords. In fact, 'secret answers' will almost *always* be simple, one-word english text, rendering hashes meaningless. Even if Sony did do hashing, they are going to keep it simply and say "you're screwed" to avoid setting expectations high for people with crappy passwords.

      Credit card information and other sensitive information should be encrypted (preferably AES-256 or stronger).

      If you compromise a running system, then many bets are off here. They could have done this and either:
      -Every user logged in at the time had their password in memory so t

    • by vlm (69642)

      It amazes me that a company as large and established as Sony would make such a boneheaded move as storing sensitive information in plaintext.

      If you remove the assumption that they were owned the same day they were shut down, the logical result is they got owned 77 million card entries ago... Sniff and store each new CC... Months / Years later they get noticed, oops.

      That would also fit with why they didn't restore from backups onto bare metal on day one and be back online within 24 hours. If the backups, going back months or years, are all perfect backups of the infection...

    • by Sir_Sri (199544)

      we don't know how any of their data was stored, or accessed. That's sort of the problem; Sony isn't talking, which is leading to wild speculation, including yours.

  • by Anonymous Coward on Wednesday April 27, 2011 @11:04AM (#35952984)

    I posted this in the last thread, but PSN users are already seeing their credit cards being fraudulently used! [vgn365.com]

    So if you're affected, CANCEL YOUR CARD!

    It's not a possibility anymore, it's a certainty.

    • by Junta (36770) on Wednesday April 27, 2011 @11:30AM (#35953400)

      In a world with plenty of well understood crypto schemes like public-private key systems where you can prove yourself without a shared secret... why the hell do we trust so much of our wealth with a trivial to see/copy account number being tossed around like crazy?

    • by RobDude (1123541) on Wednesday April 27, 2011 @11:34AM (#35953448) Homepage

      That seems a little extreme.

      You aren't liable for fraudulent charges. And until Sony sends you a certified letter stating that your credit card was compromised you don't know that your card was. I'll just wait until I see a fraudulent charge, then make a 10 minute phone call and have a new card/number mailed out to me. The biggest pain is updating the reoccurring bills/payments.

      Even if they had access to your credit card number you don't know what they are going to do with it. Sell it? Maybe. Or maybe they are just using this to piss off Sony. And, according to Sony, they only have the credit card #s - not the CVV or CV2 code. So, it would be reasonably difficult to make a purchase.

      I'll alert Capital One as soon as I see a fraudulent charge.

      • by _0xd0ad (1974778)

        Yeah. More worrisome is the fact that if it is a debit card, the money is gone before you can even contest the charge.

        For a credit card, I'd probably wait it out and hope for the best. A debit card, though, would best be cancelled immediately.

      • Re: (Score:3, Informative)

        by bendytendril (1281160)
        I received fradulent charges the day after this occured. My bank called me and I had to cancel my card.
      • And, according to Sony, they only have the credit card #s - not the CVV or CV2 code. So, it would be reasonably difficult to make a purchase.

        Absolutely. It's well beyond the ability of any petty criminal to buy a magnetic strip writer from eBay and put the stolen card numbers onto blanks / gift cards / any magnetic strip card. This was never done before internet purchases requiring CVV / CV2 codes became commonplace, and hardly anybody used cloned cards to withdraw cash at ATMs. Plus, store clerks always check the receipt card number against the one printed on the card itself, because they're vigilant pillars of the community.

      • by mkraft (200694) on Wednesday April 27, 2011 @12:29PM (#35954214)

        The CVV or CV2 codes aren't required to make purchases in all places. Yes, for most cards you aren't liable for fraudulent purchases, but the money has to come from some where so the credit card companies end up taking a hit and they raise their rates. Besides if you know your card number might have been stolen and don't report it, you might end up having to pay for fraudulent charges since at that point it's basically your fault for not telling the credit card company.

        More importantly, the hackers also have your name, address and birth date. That information is nearly enough info, combined with the credit card information, to have your card canceled and another one issued to them. They could initiate a USPS change of address (since they have your name and address) to wherever they want, call your credit card company to have a new card sent out and then simply activate that card when they get it.

        It's much easier to preemptively have your credit card company reissue a card now, then try and go clean up a much more complicated mess in the future. That's what I did and my credit card company said that was a smart move on my part.

      • by berwiki (989827)

        You aren't liable for fraudulent charges.

        There are all sorts of exceptions to that rule. The first most common is that you have a certain period of time, generally only a few days, to find and report such fraudulent charges or you will not be refunded 100%. (do you check your transactions every day while on vacation?) Second, what if they used a Debit card and their checking account was emptied. Sure, they might eventually get their money back, but it could take a month or more.

        So yea, this might actu

    • by DaveGod (703167)

      Bearing in mind of course... Say 70m PSN users, lets assume that 50% of them had credit cards on there and that the average frequency of credit card fraud generally is once per person every 20 years (no, I couldn't be bothered looking for a real statistic, or using real math).

      In the week or so since the breach, the average person would have had an approx 1/(20*52)= 1 in 1040 chance of incurring fraud anyway.

      Therefore chances are during that week we could anyway have expected around 1/1040 * (70m * 50%) = 33

  • Leaving PSN Down (Score:5, Interesting)

    by TheNinjaroach (878876) on Wednesday April 27, 2011 @11:12AM (#35953100)
    I think the fact Sony has left the PSN in a completely disabled state for the past week could hint at some internal problems with disaster recovery. Their servers have been compromised and can no longer be trusted. In my world, that's a perfect time to re-build your systems from a pristine backup. So why doesn't Sony patch the vulnerability and deploy new servers? Perhaps it's because they don't have any good backups to restore from..
  • Fallout (Score:5, Insightful)

    by Canth7 (520476) * on Wednesday April 27, 2011 @11:13AM (#35953128)
    More interesting to me than how the intrusion occurred or how lax Sony's security practices are will be what the public backlash level is like. IT security departments tend to whip up a frenzy with the potential for "end of the company" concerns for data breaches on a regular basis. However, reality is that data loss doesn't always seem to have a particularly negative effect for the company that loses the information. Point in example would be the TJX data loss - http://it.slashdot.org/story/07/03/29/1618239/TJX-Is-Biggest-Data-Breach-Ever [slashdot.org]. Somehow this hardly seems to have put a dent in corporate profits. TJX's stock is up 100% since 2006 when the breach occurred. http://www.google.com/finance?q=tjx [google.com] Point being is, if nothing seriously negative happens to Sony then it's no wonder that firms continue to have poor security practices. After all, why bother spending the effort and money to secure data when there is no return on the investment?
    • Re:Fallout (Score:5, Interesting)

      by X.25 (255792) on Wednesday April 27, 2011 @12:55PM (#35954614)

      TJX's stock is up 100% since 2006 when the breach occurred. http://www.google.com/finance?q=tjx [google.com] Point being is, if nothing seriously negative happens to Sony then it's no wonder that firms continue to have poor security practices. After all, why bother spending the effort and money to secure data when there is no return on the investment?

      Many years ago, I was in a meeting with heads of a bank, discussing their need for penetration testing, auditing, etc.

      So, after all that talk, one guy simply asks:

      "Why would we spend dozens and hundreds of thousands of dollars on security services/products/staff, when it costs us 200 dollars to issue few press releases that claim how no valuable data was lost, and everything will be just fine?"

      I had no answer to this.

      That's why in 2011. we are witnessing things like this.

      That's why in 2011, Sony will still be determined to be PCI/DSS compliant, although they probably don't satisfy 50%-70% of requirements.

      It's because they don't give a fuck and don't care. There is nothing you/we can do to them, they are on the top of the food chain.

      Because humans are greedy, like flashy toys and are too blind to see what's happening in front of their eyes.

      Oh well, back to work :)

      • by AK Marc (707885)
        That's why the free market fails and the government must step in. It costs more than $200, but because banks have successfully convinced people that "bank fraud" should be blamed on the customers of the banks (calling it "identity theft"). But if the externalities are forced to be accounted for by the government (people suing for their inconvenience and fines from the government), then they'll have to re-think their policies. But it will take nothing less than government action for companies to take thin
  • by fhage (596871) on Wednesday April 27, 2011 @11:15AM (#35953170)
    I wonder if Sony regrets waving the red flag. http://news.cnet.com/8301-13506_3-20050310-17.html [cnet.com]. Anybody heard from geohotz in the last few days?
  • sony is never going to do what is in the users interest.
  • The only reason it probably hasnt happened yet is their system is hacker-resistant being based on COBOL and 9-track tapes. IRS and SS both have legacy systems.
  • This is Sony we're talking about - they will of course have installed in a rootkit into the data... ;)

  • Whilst I have read a lot of people pointing fingers at Sony and jeering them for this breach, some of the more savvy commentators are now asked how safe ANY online data really is.

    Suppose you really did have a situation where the user's personal details and CC data were encrypted. Would you actually just put a press release along the lines of:

    "Yeah, we got hacked. The hacker downloaded 77 million account details, all of which was AES secured. Nothing to see here, move along."

    Or, would you tell people to de

  • Stolen? (Score:2, Insightful)

    by blueg3 (192743)

    Was the sensitive information deleted from Sony's system, denying them access to it? If not, how is that stealing? I thought the People of Slashdot were against calling it "stealing" when information is merely duplicated without taking access away from the original holder?

    • When we are talkin about metallica's "Sandman" it's ok to start getting nitpicky over the details. When some jerk just stole my credit card info on the the other hand...

    • by The Moof (859402)
      The last time I checked, my identity couldn't be stolen with a copied MP3.
      • by blueg3 (192743)

        If someone steals your identity, do you no longer have it? Who are you then?

        • Re: (Score:3, Insightful)

          by Kielistic (1273232)
          Kind of. A personal identity is singular and is assumed to only exist for one person. If one person uses an identity it is assumed another is not.

          Also using another's identity most certainly can and does bring harm to the creator/originator of that identity.
        • by The Moof (859402)
          Sort of, via my credit score. They use my identity to use my credit, not a copy of it. Anything they do to damage my credit becomes my burden to bear, not reflected on a copy of it. Credit isn't something that can be copied like a file.
  • by straponego (521991) on Wednesday April 27, 2011 @11:28AM (#35953378)
    So what are the ramifications for Sony if they violated PCI standards?
  • by unity100 (970058) on Wednesday April 27, 2011 @11:46AM (#35953652) Homepage Journal
    You have sued hotz, harassed those who modded/jailbroke your devices, suppressed hotz, and .....

    'some' people basically handed your ass over to you in a different fashion ?

    in the end, it seems you have annoyed far more dangerous circles in the internet hacker underground than the jailbreakers/mod hackers.

    enjoy. and next time, remember that it is not good to treat people like cattle, and suppress/repress them.
  • by Gorkamecha (948294) on Wednesday April 27, 2011 @12:23PM (#35954148)
    I've been robbed, and I'm not even sure what they have stolen. I've had my PS3 for years, it collects dust most of the time lately - But I'm sure I setup a PSN account back in the day. So, I know they have some data. I have a pretty good idea what that data is - But I can't be sure. And since their site is down, I can't go in and check. Wonderful. And I'm getting this info from the media - Where's my letter saying "Hey, we got robbed, they took this and it was yours." Or some sort of note. Anything. Sony...Hello?
  • by X.25 (255792) on Wednesday April 27, 2011 @12:36PM (#35954312)

    So, you peek into PS3 internals, you get slapped with lawsuits, police raids your home and they send army of lawyers after everyone.

    Someone steals 77m accounts from Sony, all they have to say is basically...

    Sorry?

    Fuck you Sony.

The more cordial the buyer's secretary, the greater the odds that the competition already has the order.

Working...