Sony Admits That Playstation Hacker Got Tons Of Info, Including Passwords
from the this-is-what-you-get-with-a-company-that-rootkits-people dept
We had avoided discussing what was going on with the PlayStation Network hack and subsequent downtime until more details were known, and now Sony is finally revealing what many people feared: a ton of personal info was leaked. According to Sony’s blog post, among the information that hackers got was:
- Name
- Address
- Country
- Birthdate
- PlayStation Network/Qriocity password and login
Sony claims it’s not sure yet, but that it “cannot rule out,” that credit card info and password security answers may have also been included. To deal with that, they’re saying people should assume that such info was compromised. So far, Sony’s plan is to tell you to stay alert:
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
You hear that sound? That’s the sound of a whole bunch of class action lawsuits being filed against Sony as we speak. I’d like to say it’s a huge surprise that Sony would even store passwords and credit card data in a place where it could easily be extracted like that, but it’s really not. This, after all, is the company that made the word “rootkit” famous, and spent the last few months wasting more resources in a quixotic legal campaign against a guy who added back a feature to the PS3 that Sony had deleted. Perhaps if it spent a little more time actually protecting its users rather than fighting silly battles, there wouldn’t be issues like this.
Filed Under: credit cards, passwords, playstation, playstation network, security
Companies: sony
Comments on “Sony Admits That Playstation Hacker Got Tons Of Info, Including Passwords”
And also “Playstation 3 pirates will be banned for life”! DO you hear that sound? That’s all the hackers trembling…
Re: Re:
DO you hear that sound? That’s all the hackers …laughing.
Re: Re:
I’m sure they’ll get banned… while logged in with your account and password.
Re: Re:
Yeah, the “hackers” are going to care about this somehow. Anyone who cracks a modern console does so with the knowledge that their console will be banned from such services if they are caught. That doesn’t help the legal users of the service, and makes hacking more appealing.
The only people “trembling” are the Sony execs who will lose money over this – not just due to the loss of direct income (why buy a new game to play on line this month?) but income from other services that lose their appeal to customers as they realise how fragile cloud-based content actually is (Qriocity, Netflix and other services that require a valid PSN account, games whose DRM moronically calls home even for a single player game).
They waited a week to let people know about the stolen data? That may be the worst part of the whole mess.
Re: Re:
I wonder how much of that was figuring out what was actually taken?
Right now, it appears that they’re saying some info from ALL of the PSN’s users was compromised . . . that’s a lot to check in one week, isn’t it?
That being said, they could easily have started the week with: “We’re afraid that some personal information could’ve been compromised”.
Re: Re: Re:
>>That being said, they could easily have started the week with: “We’re afraid that some personal information could’ve been compromised”.
Bingo. That should have been their first thought.
Re: Re:
They waited a week to let people know about the stolen data?
they are just coming out of stage 1 of sony Standard Operating Procedure and are getting ready for stage 2:
http://www.penny-arcade.com/comic/2005/07/20/
Just throw the PS out the window and never buy another Sony product EVER!
Rootkits in 85 on Audio CDs
Rootkits on PC games Currently ( SECUROM )
Then they use bait and switch marketing.
Their network is toast anyway!
Goodbye and Good Riddance Sony!
Re: Re:
What does “Rootkits in 85 on Audio CDs” mean?
Is it 1985? CDs were only invented in 1984 and I can assure you that PCs didn’t even have CD drives until about 1998.
The Sony Rootkit scandal was in 2005.
http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
Re: Re: Re:
Sorry, I meant 1988.
Re: Re: Re:
invented in 84?
ummm soooo they went back in time for the first album release on cd which was in 82?
And it couldn’t have happened to a nicer company
This once again shows...
…why you don’t go pissing off your fan base. This is too coincidental after Geohot got sued for me to think it was just a random attack. I think someone wanted to show Sony who was boss, and made sure it would hurt them. And since there is no other way to hurt a company, they went for the pocketbook by taking the PSN down and grabbing some credit cards so they would have to pay for identify theft protection too.
Of course, it could also be for a money grab that just happened to coincide with the Geohot case.
And we do not need comprehensive laws requiring data breaches be reported quickly why?
@fogbugzd – why would they? They denied the rootkit, they denied the theft of other peoples IP to make it, and when they got caught the response was to tap them on the wrist.
Nothing will happen to them, they will make some more “contributions” to the pocket congress critters. Then we will get more speeches about how you can not hold a “free” system as responsible as a pay system, and it is the fault of the consumer for not being more aware.
“PlayStation Network/Qriocity password and login”
Something that still baffles me is how can anyone “acquire” these passwords. Every novice computer security student knows that you should NEVER EVER store passwords.
You store a hash value of that password and some salt (http://en.wikipedia.org/wiki/Salt_%28cryptography%29).
Such a big company (which, incidentally, has a big target painted on it) should know this and implement this. But I guess it is just cheaper to have a code monkey slap together a server in a week and the just “sort out” the quirks of the system as they show up.
Re: Re:
The link, in a more useful form:
http://en.wikipedia.org/wiki/Salt_%28cryptography%29
Re: Re: Mailman does the same
I was equally surprised to find that mailman also stored passwords in plaintext. Quite surprising, because that soft has been around for a while.
Re: Re:
“You store a hash value of that password”
I’ll guess that has been patented
Re: "PlayStation Network/Qriocity password and login"
It’s the fact that it’s a big company that they didn’t do what they should do.
having worked for a big company in the tech industry I can honestly say the tech department usually is under-funded and over-worked, and everything you do has to be justified. Hell, sometimes the tech department cant even get and keep valid certs for their sites depending on how incompetent their management is, and how lazy their tech department is.
so no, not surprised they were doing the less safe option.
not at all.
I’ve seen it take an entire section of business with millions of customers losing business for more than 2 weeks for a big company to finally make needed changes just to mirror their freaking sites. simple thing that makes sites continue to function when attacked, but it took millions of dollars lost in order to get the company to do it.
no not surprised at all…
Meh
All I hear is the sound of urine landing on the already cold ashes of any chance Sony had of ever getting my to buy anything from them again.
Sony has a game console?!
I was too busy playing Halo to notice.
Re: Sony has a game console?!
> I was too busy playing Halo to notice.
And paying $60/year to do it. Thanks, I’ll take free online and the occasional screw-up instead.
Re: Re: Sony has a game console?!
Hahaha, I’d rather pay 100 bucks to play than have my credit cards stolen. I am pretty sure you will enjoy the ID theft.
This just infuriates me altogether. Sony should be required to provide us all with credit reports and identity theft insurance like the one senator is already calling for.
Re: Re:
Now is that what he is really calling for, or is he instead calling for a contribution so he can get ready for 2012?
Sadly often a congress critter will jump on a topic and then sort of wander away after getting a little press. Nothing changed for the people who wanted the change to right some wrong… but maybe a check changed hands…
It still surprises me that people ignored the rootkit incident and continue to give this criminal organization money. I guess flashy pixels have a way of overcoming anyone’s pause.
Re: Not me
I gave up on Sony when they did the rootkits. The only sony product I have bought is headphones. Other than that give the type of company Sony is I just don’t buy their products anymore.
I can’t believe (although not too surprised) that Sony got bit in the butt on this. When will companies learn to protect the data?
Re: Re:
It still surprises me that people ignored the rootkit incident and continue to give this criminal organization money…
Especially people with that says something like “That’s it, I’ll start boycotting Sony now”.
This makes me want to ask “do you mean that the rootkit incident did not scare you?”.
Re: Re:
my biggest problem is that i don’t want to boycot about half the developers who actually make games i like…
and unfortunately they insist on publishing only on the PS3 (or market it all for the ps3 and then quietly slip a 360 logo on the ‘released on this platform’ bit a month before the game comes out so you never know if it’s going to be on anything but the ps3 or not. (or randomly decide that from now on the series is going to be a Wii exclusive :S )
OMG BASED GOD PLZ FUCK MY PS3 PLEASE #SWAGG
Suddenly Nintendo’s Friend Codes don’t seem so bad.
I wonder...
What’s the typical cost to a company, in terms of class action damages, for failing to adequately protect user data in this manner?
Just thinking – if they were required to pay each victim (potentially every person who’s ever purchased a PS3) $200, which I figure is a reasonable if not slightly small number to pay for this sort of irresponsibility…
Well, they’ve sold, as of Dec 31 last year, 47.9 million PS3s. So that’s, ignoring 2nd-hand sales, 9.6 billion in damages.
…Sony made $893 net income in Q3 2010…
Re: I wonder...
Nothing will happen to Sony. Nothing happened to them with all the other evils they perpetrated on their customers. This sounds like programming stupidity on Sony’s behalf. I bet this happened as a retaliation for them raiding Hotz house, seizing virtually everything including all his financial records, getting access to all his social media accounts so they can sue other people that looked at his hack, etc. As Nelson would say HA HA pointing at Sony. Nobody’s going to buy your junk tablets now!
Re: I wonder...
Maybe they should be slapped for illegally sharing content, much like copyright infringement and be slapped with a 75,000 dollars fine per shared credit card number.
Unlike sharing music this *does* hurt the person who’se information was shared.
"U.S. residents "
“U.S. residents are entitled under U.S. law to one free credit report annually….” but everyone else is out of luck.
And then you wonder why governments make laws and regulations forcing companies to do something.
Re: "U.S. residents "
In canada, at least my bank – CIBC – offers credit report monitoring for free and I get notified of any changes, trick is you have to turn it on in online banking.
Why didn’t Sony email this to millions of PSN accounts? They haven’t at all. Something this serious should be in everybody’s inboxes along with the normal PSN spam Sony sends out.
ouch
well… I won’t be selling off my PS3 for an Xbox, but you better believe that when the next generation of consoles roll out, I will be joining the microsoft club…
Re: ouch
‘course, you gotta be a bit careful of microsoft too.
they can be just as evil or just as stupid. (though they seem good at not being evil and stupid at the same time, usualy. unlike sony.)
And this little piggy...
played his Wii, all the way home!
Sony, the one and lonely!
Karma, the multi-platform real life game that requires no rootkit, or even your explicit permission, you’re playing whether you like it or not! Sony, you lose!
Technical Common Practices With Passwords
Passwords should always be salted, hashed, hashed and then hashed (and possibly, for good measure, hashed). Even HBGary did better than this.
I’m really interested to find out what the tech details of the hack are. There’s speculation about hacked ps3 console, but even if that’s true, it belies bad security on the part of Sony. The three golden rules of client-server programming:
1. Don’t trust the client
2. Don’t trust the client
3. Don’t trust the client
Re: Technical Common Practices With Passwords
4. Don’t trust the server, the people who wrote the software, the people who work for you, the mail person, Mike Masnick, or the kid at the McDonald’s drive through.
Really though, it’s more than just the client you have to worry about.
Re: Re: Technical Common Practices With Passwords
natch.
seems like trusting the Client is less akin to missing a possible entry point when booby trapping a house and more saving the assasin the trouble of getting in by wearing a target over your face and standing in the middle of the street.
Re: Re: Technical Common Practices With Passwords
I never said it’s all you have to worry about, but the security flaws I see in many client server apps amount to trusting the client.
“They’ll only pull up pages/records I give them links for!”
“The only possible values to come back in this field are the ones I’ve enumerated in the dropdown!”
“I’ll put the id of the organization the user belongs to in a cookie, nice and convenient!”
I'm delighted at this news
Anyone who buys Sony products after the rootkit debacle is supporting the enemy, and DESERVES to have their identity stolen, their personal information misused, and their credit cards abused. I have no sympathy for them at all.
And as for Sony themselves, let’s hope the combined effect of the class action lawsuits is to permanently cripple them. Too bad the personal assets of the corporate officers can’t be targeted; they deserve to be bankrupt, homeless, and starving.
But I’m not bitter.
Re: I'm delighted at this news
Anyone who (insert ignorant action) DESERVES to have (insert whatever happened).
Ignorance is no excuse. However, claiming they deserve whatever is just plain mean. That horse upon which you sit is rather high.
Re: Re: I'm delighted at this news
I think they deserved it. They went out and pissed off the most technically minded part of their customer base. Then they went after GeoHotz after that horse had left the barn and the barn had burned down…
I’m saying they deserved it and I have a Playstation 3. Luckily they didn’t get my CC information.
Re: I'm delighted at this news
Amen brother. I agree completely.
So....
Who wants to buy a used PS3, cheap?
It comes with games, controllers, and a hacked account.
Re: So....
According to some sites, Games shops aren’t buying second hand PS3s for this reason.
Re: So....
I’ll only buy a used PS3 if it’s hackable/modable – maybe $20 at a garage sale in the near future, we’ll see, who knows.
If I can’t install OtherOS or equivalent on it, I don’t want it.
hahaha
add this crap and the yellow light of death to my ps3! in the same week! wow sony you better be paying to fix my system for free and give me 100 bucks!
Richard Blumenthal
Blumenthal demands answers from Sony
Please bear in mind, this is the same Blumenthal that was and Attorney General fighting against Backpage and Craigslist.
He can demand answers, but I most certainly do not trust him…
Re: Richard Blumenthal
This guy is just an attention/media whore. Anything he can do to get his name out to appear like he cares and/or is doing something for the average person.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience.
We thank you for your patience as we complete our investigation of this incident, and we regret any personal economic disasters during which years could go by before you are financially stable enough to continue giving us your money.
FTFY
Playstation
I have spent alot of money buying games and virtual items on playstation home they should give people back the money since we can not play or may not want to play in the future
Re: Playstation
Sorry, but this is what happens when you buy into a closed, DRM encrusted system. The servers go down and anything you paid for goes with it.
I've got a PS3
and other than being told that I can’t connect to the PSN whenever I boot it up, I can’t say I’ve missed it. And good luck to the hackers. The only purchase I ever made was done using a PSN gift card. Enjoy my remaining $2.81!
Still, I’m saddened that I will be missing out on future episodes of the “The Tester.” It must have been quite the thing considering how often they shoved it in my direction while I browsed their store.
Re: I've got a PS3
Well, they have $2.81 and any personal information you may have entered. I’m sure they can sell that for another few bucks.
Name, Location, etc.
IT
ONLY
DOES
…
$@#%@!
And in two months, they plan on releasing their new handheld console. I can see gamers flocking – not.
Re: Re:
“And in two months, they plan on releasing their new handheld console. I can see gamers flocking – not.”
Tablets and smart phones are probable going to destroy the handheld market over the next couple years. Much in the same way that cellphones with video cameras destroyed the cheap video camera market.
Re: Re: Re:
Can you explain a bit more? Based on my experience with the video camera market, I may have a bias that says they remain unchanged in actual capacity.
wow
I’m not saying this couldn’t happen to MS but, this is why they have such strict hardware structure and their own servers that developers have to design their games to work on, if they want to be online compatible for downloads or online play. $60 a year doesn’t seem like so much, when you consider the security aspect of the service. Before you leave any negative comments, I’m perfectly aware that no network is hack proof. I’m just saying, it would be a little harder and less likely to happen.
Re: wow
You know what? AS much as I hate the 360, it’a more secure than ‘the state-of-the-art console’. How sad is that? That the Wii and 360, which were hacked sooner, are more secure than the PS3.
Re: Re: wow
the PS3 is actually Slower than the 360 at doing simple things like loading it’s (much simpler and smaller) icons and menus.
Re: Re: wow
Any hardware can be hacked but, what you can do with it, is another story. I’ve never heard of a hacked 360 accessing the live network. I’ve heard of people reformatting the system and installing lines or some other homebrew software nit, that’s as good as it gets. As for the Wii, have one in the house but I rarely touch it. It was a gift for my wife, I’m not a big fan of the system. Im not sure how secure the Wii is in comparison to the PS3 but, it seems just as open. I believe that’s why MS opted not to install a browser on their systems. It just leave too much open to be hacked. I’m sure they could have installed a separate drive or something for internet access and keep the gaming software separate, to avoid any issues but, how practical would that have been sand how expensive would that have been for us, as consumers.
What a shame.
In the 80s, Sony was *the* name in electronics. Now, I wouldn’t touch a Sony product if they paid me. I’d like to know what happened to this company. I want to know why they felt it necessary to spy on its customers. I want to know why its products ensure we can’t do what we want with them, even if this action is illegal.
None of this is Sony’s responsibility. Given how their products have always been marked up to ridiculous levels (we paid for that brand name, damn it), I certainly can’t believe piracy was any issue that made their profits drop.
I’d say that honor went to LG, who not only undercut Sony’s prices, but did it with products people enjoyed.
No matter. They’ve lost me as a customer forever and there’s no mistaking how this is truly the lost sale Sony seemed to be so worried about.
Is irony to be taken with water?
Re: What a shame.
Nope, it’s to be taken with neurotoxin. Cetified GlaDOS-free.
Re: What a shame.
Sony went from a hardware company to a content company. The two are at odds, and at Sony the content company has won.
I bought a Sony gizmo thing a couple of months ago– I wasn’t thinking, it was a Goldbox special on Amazon.
When I went to register it though there was a survey about Sony’s reputation. So I told them about how I stopped buying Sony CDs after the rootkit, I stopped buying Sony computers after a Viao that had to have two power sources replaced because whoever did the recall work put in the SAME DAMN PART– which borked my harddrive. Not to mention the Clie they stopped supporting immediately after I got it. I told them I was giving them one last chance with consumer electronics.
Looks like they are trying to do some market research on how people perceive them.
Yallabid- Online Auction
UAE’s Most Popular Online Auctions Website, Over 90% Discount on Retail Prices. Register Now and Start Winning !..products are brand New and at the guaranteed lowest prices! … For your chance to get the latest ‘got to have’ items at really low prices.Register now on http://www.yallabid.com/ and start winning!
Yallabid- Online Auction
UAE’s Most Popular Online Auctions Website, Over 90% Discount on Retail Prices. Register Now and Start Winning !..products are brand New and at the guaranteed lowest prices! … For your chance to get the latest ‘got to have’ items at really low prices.Register now on http://www.yallabid.com/ and start winning!
Too bad for Sony
Judging by all these comments an entire organization is under fire once again and most likely because a handful of their many people failed.
For their sake hopefully someone was just making a point or it was a smart moron that will get caught before any real damage happens but thats beyond wishful thinking this day and age.
Re: Too bad for Sony
“Judging by all these comments an entire organization is under fire once again and most likely because a handful of their many people failed”
Judging by all these comments an entire organization is under fire once again and most likely because their corporate policies make them as user unfriendly as possible
FTFY. Sony has a history of stupid, customer-damaging moves, this is par for the course with them. Hopefully this one actually will come back and severely bite them in the ass.
Anyone care to add up the monetary damages Sony has incurred since they started their BS with Geohot? Of course I’m including this incident since its most likely anon getting a bit of retribution for their (Sony’s) litigating ways…….
Sad thing is...
the money heading down the toilet from this screw up would have better been invested in preventing it in the first place. Now they have a damaged reputation (again), 77 million pissed off loyal users, class action law suits, and they still have to fix that pesky problem. I’m not a rocket scientist but I’d say they’re doing things the hard way.
ok seriously this is really late i just found this but people really need to calm down and sony is still better thaqn xbox x100% and i just needed to get this off my chest that every one marked anonymus seem very suspicious im sorry but seriously talking about how sony is a piece of sh** and X-Box is better have alot of problems im saying this though sony is not the only target im just saying that sooner or later microsoft will go down so dont think there fire wall is stronger than sony’s im not a hacker or anything im just another sony player who is p*ss*d off cause of who hacked sony but like i said dont think that sony is their only target!!!!!!!!!!