Forgot your password?
typodupeerror
Sony Privacy Security The Internet News

Sony Breach Gets Worse: 24.6 Million Compromised Accounts At SOE 242

Posted by Soulskill
from the over-100-million-served dept.
An anonymous reader writes with an update to yesterday morning's news that Sony Online Entertainment's game service was taken offline to investigate a potential data breach related to the PSN intrusion. SOE has now said that they too suffered a major theft of user data. "... personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain."
This discussion has been archived. No new comments can be posted.

Sony Breach Gets Worse: 24.6 Million Compromised Accounts At SOE

Comments Filter:
  • by Dunbal (464142) *
    This is what happens when someone manages to jump the fence of your "walled garden".
  • They are upset... (Score:5, Insightful)

    by houstonbofh (602064) on Tuesday May 03, 2011 @08:20AM (#36009170)
    They are just pissed that somebody stole a lot of personal data, and took over a bunch of computer systems, and it wasn't them.
    • by eepok (545733) on Tuesday May 03, 2011 @11:05AM (#36011052) Homepage

      How did this get modded "5, Insightful"? Are those who modded this post agreeing with sentiment (Sony hate) or do they actually believe Sony Online Entertainment wants to steal personal data?

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Probably has something to do with Sony's reputation before these breeches were known.

        http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal

  • Best Practices (Score:5, Insightful)

    by Anonymous Coward on Tuesday May 03, 2011 @08:22AM (#36009184)

    Hey guys, let's keep around credit/debit card billing data from 2007 all online. Deleting it after 6 months of inactivity could hurt sales!11! There's no cost to keeping it around, nothing that would pass an accountant anyway. Let's pay ourselves a bonus for our forward thinking.

    • Re: (Score:3, Interesting)

      by mwvdlee (775178)

      It's probably tax laws requiring them to hang on to all financial transaction details for a number of years.

      • Re:Best Practices (Score:5, Insightful)

        by capnkr (1153623) on Tuesday May 03, 2011 @08:59AM (#36009484)
        They could *easily* do that in a manner which did not allow for the data to be 'net accessible, and therefore exploitable or fairly easily stolen if their network system became compromised. They could have kept it on non-networked (or non-running) machines, external/removable digital storage, dead-tree hardcopies in a file drawer or stack of boxes... There's no need to have that sort of data instantly - or even very easily - available.
      • by Jawnn (445279)

        It's probably tax laws requiring them to hang on to all financial transaction details for a number of years.

        No, it isn't. Think harder...

        • Not only that, but the relevant purchase information, even including the type of CC and the last 4 of the card number would be enough... it's not like businesses keep track of the serial numbers for every cash bill that crosses a register... It's simply a horrible concept. If they allowed for partial refunds, then keeping the information long enough for a refund, fine. If the have recurrent billing.. this should be a walled system (software tier, not just layer) that has a simple API for the front end sy
          • by GooberToo (74388)

            It bugs me to no end that programmers, architects and CS engineers will design a software system that pretty much ignores having physical separation of service tiers for things like this.

            Frequently its someone who is completely out of touch with technology and paid 10x more who make these mandates of engineers.

    • by ProppaT (557551)

      There's a number of websites, including Amazon.com, that have a crapload of old expired credit cards of mine on file. I don't care, they're expired and I'm too lazy to delete them. On the plus side, they also have all of my addresses from the past 10 years stored...which has actually been a life saver in the past when I couldn't remember an old address :p

      • by praxis (19962)

        Amazon does their due diligence in storing the numbers though. Payment information is tokenized in a separate service and not accessible on the network. Only one-way "please charge instrument with alias X Y amount of Z currency" requests go to a proxy service.

  • by Anonymous Coward on Tuesday May 03, 2011 @08:28AM (#36009220)

    I haven't played everquest since 2002 and I got a notice. Luckily for me all that credit card information is outdated and wrong. Event the mailing address is wrong. How someone was able to access this data is beyond me. I cannot, for any reason, think of any justification Sony could have to store something in a manner that a developer could access at this level.

    Sony is going to have one hell of a class action lawsuit in it's hands.

    • by nedlohs (1335013)

      Nothing except my name (and date of birth if they have that) is the same as in 2002. Heck I've moved countries and changed citizenship since then...

      But a lawsuit is interesting from the perspective of required arbitration being ruled valid recently. If the EULA in question is that old, and you are no longer a subscriber would something like this now be covered by it?

      • by popoutman (189497) *
        Of course - depending on your country of domocile, EULAs are meaningless things that have no legal standing.
    • by Tei (520358)

      Developers? no, that database was probably a backup somewhere inside some computer on the network, so the attacked managed to get shell inside PSN, and from there open other systems, included this database one.

  • Password (Score:5, Insightful)

    by ifrag (984323) on Tuesday May 03, 2011 @08:30AM (#36009236)
    At this point, I'm almost surprised the password wasn't stored in plain text. Then again, given the magnitude of the breach, I'm betting on it not being very hard to break the hashed password.
    • by mwvdlee (775178)

      I'm assuming Sony just invalidated all passwords after the breach and disallowed passwords with the same hash as the previous one?

  • by daitengu (172781) * on Tuesday May 03, 2011 @08:31AM (#36009244) Homepage Journal
    If the person who stole the SOE accounts could get in contact with me, I've been trying to reset my SOE password for 2 months now, and it hasn't worked. Could you tell me what my password is?
  • by tekrat (242117)

    So, when are all you losers going to wake up?

    Sony just wanted your money, they don't give a crap about you, your rights to privacy, or even making an attempt at keeping your data secure.

    If you purchased a Sony product in such a way that they've got your credit card number, you're at risk, and it doesn't seem to matter since when; since the beginning of Sony on the Internet. Hopefully, those of you using Sony Online since the days of the Playstation (one), only have expired credit cards to worry about, but a

    • So, when are all you losers going to wake up?

      Sony just wanted your money, they don't give a crap about you, your rights to privacy, or even making an attempt at keeping your data secure.

      Personally I'm more annoyed at the people that performed the hack than Sony. Granted Sony has lost what little company loyalty I had, I already stopped buying most of their products.

      But in this case is the perpetrators that make me angry. It's one thing to screw with a company, it's another to screw with the average Joe that just wanted to play the latest Ratchet and Clank episode.

      Name, address, birthdate, credit card number... that's more than enough for identity theft. Meaning not only do I need to tak

    • So, when are all you losers going to wake up?

      Corporate America just wanted your money, they don't give a crap about you, your rights to privacy, or even making an attempt at keeping your data secure.

      If you purchased an American product in such a way that they've got your credit card number, you're at risk, and it doesn't seem to matter since when; since the beginning of the credit card. Hopefully, those of you using goods and services since the 1960s, only have expired credit cards to worry about, but anyon

  • Great timing! (Score:4, Interesting)

    by rsilvergun (571051) on Tuesday May 03, 2011 @09:53AM (#36010100)
    I love the way corporations do this, just wait for a big news story (Osama's dead) and then start releasing the full extent of the disaster. The same principle worked for the cigarette companies. They were set to be torn apart of lying about the dangers of smoking and genetic modification to increase addiction, then along came 9/11 and all was forgetting. All you got to do is stonewall until a bigger problem comes along.
  • Sony Blu-Ray Player (Score:4, Interesting)

    by Sir_Eptishous (873977) on Tuesday May 03, 2011 @10:26AM (#36010524) Homepage
    So if I bought a Sony Blu-Ray player a while back, and had to create an account on their site to "access" the device, it appears that account I created has been compromised.
  • I keep hearing about intrusions that result in data theft, including credit card numbers, etc. Can someone tell me why on earth this information is being stored as plain-text and not as encrypted files? Unless of course the data is encrypted and the passphrases are stored in open-text files with a filename of "password_to_our_files.txt"
  • While I take no pleasure in the fact that people's financial data has been compromised, my intense dislike of Sony and its business practices is severely inhibiting my ability to wipe an evil little grin off my face.

  • by Anonymous Coward on Tuesday May 03, 2011 @02:20PM (#36013822)

    After Sony's initial admission of the PSN breach, a lot of people pointed fingers of blame at the PS3 hackers without so much as a shred of evidence either way.

    Now that it appears SOE was also penetrated at approximately the same time, I think it's fair to ask just where the penetration occurred, how much customer data was accessible across Sony's networks, and what (if any) internal safeguards were supposed to be in place. There could be multiple penetrations through several vulnerable points, but this looks even more coordinated and planned than initially suspected. If Sony hasn't investigated IT employees, it's time to start -- at minimum, someone has loose lips or careless behaviour. At worst, someone sold them out.

The number of computer scientists in a room is inversely proportional to the number of bugs in their code.

Working...