Sony Admits That Playstation Hacker Got Tons Of Info, Including Passwords

from the this-is-what-you-get-with-a-company-that-rootkits-people dept

We had avoided discussing what was going on with the PlayStation Network hack and subsequent downtime until more details were known, and now Sony is finally revealing what many people feared: a ton of personal info was leaked. According to Sony’s blog post, among the information that hackers got was:

  • Name
  • Address
  • Country
  • Email
  • Birthdate
  • PlayStation Network/Qriocity password and login

Sony claims it’s not sure yet, but that it “cannot rule out,” that credit card info and password security answers may have also been included. To deal with that, they’re saying people should assume that such info was compromised. So far, Sony’s plan is to tell you to stay alert:

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

You hear that sound? That’s the sound of a whole bunch of class action lawsuits being filed against Sony as we speak. I’d like to say it’s a huge surprise that Sony would even store passwords and credit card data in a place where it could easily be extracted like that, but it’s really not. This, after all, is the company that made the word “rootkit” famous, and spent the last few months wasting more resources in a quixotic legal campaign against a guy who added back a feature to the PS3 that Sony had deleted. Perhaps if it spent a little more time actually protecting its users rather than fighting silly battles, there wouldn’t be issues like this.

Filed Under: , , , ,
Companies: sony

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Sony Admits That Playstation Hacker Got Tons Of Info, Including Passwords”

Subscribe: RSS Leave a comment
79 Comments
PaulT (profile) says:

Re: Re:

Yeah, the “hackers” are going to care about this somehow. Anyone who cracks a modern console does so with the knowledge that their console will be banned from such services if they are caught. That doesn’t help the legal users of the service, and makes hacking more appealing.

The only people “trembling” are the Sony execs who will lose money over this – not just due to the loss of direct income (why buy a new game to play on line this month?) but income from other services that lose their appeal to customers as they realise how fragile cloud-based content actually is (Qriocity, Netflix and other services that require a valid PSN account, games whose DRM moronically calls home even for a single player game).

freak (profile) says:

Re: Re:

I wonder how much of that was figuring out what was actually taken?

Right now, it appears that they’re saying some info from ALL of the PSN’s users was compromised . . . that’s a lot to check in one week, isn’t it?

That being said, they could easily have started the week with: “We’re afraid that some personal information could’ve been compromised”.

Anonymous Coward says:

This once again shows...

…why you don’t go pissing off your fan base. This is too coincidental after Geohot got sued for me to think it was just a random attack. I think someone wanted to show Sony who was boss, and made sure it would hurt them. And since there is no other way to hurt a company, they went for the pocketbook by taking the PSN down and grabbing some credit cards so they would have to pay for identify theft protection too.

Of course, it could also be for a money grab that just happened to coincide with the Geohot case.

That Anonymous Coward says:

And we do not need comprehensive laws requiring data breaches be reported quickly why?

@fogbugzd – why would they? They denied the rootkit, they denied the theft of other peoples IP to make it, and when they got caught the response was to tap them on the wrist.

Nothing will happen to them, they will make some more “contributions” to the pocket congress critters. Then we will get more speeches about how you can not hold a “free” system as responsible as a pay system, and it is the fault of the consumer for not being more aware.

Anonymous Coward says:

“PlayStation Network/Qriocity password and login”

Something that still baffles me is how can anyone “acquire” these passwords. Every novice computer security student knows that you should NEVER EVER store passwords.

You store a hash value of that password and some salt (http://en.wikipedia.org/wiki/Salt_%28cryptography%29).

Such a big company (which, incidentally, has a big target painted on it) should know this and implement this. But I guess it is just cheaper to have a code monkey slap together a server in a week and the just “sort out” the quirks of the system as they show up.

crystal says:

Re: "PlayStation Network/Qriocity password and login"

It’s the fact that it’s a big company that they didn’t do what they should do.
having worked for a big company in the tech industry I can honestly say the tech department usually is under-funded and over-worked, and everything you do has to be justified. Hell, sometimes the tech department cant even get and keep valid certs for their sites depending on how incompetent their management is, and how lazy their tech department is.

so no, not surprised they were doing the less safe option.
not at all.

I’ve seen it take an entire section of business with millions of customers losing business for more than 2 weeks for a big company to finally make needed changes just to mirror their freaking sites. simple thing that makes sites continue to function when attacked, but it took millions of dollars lost in order to get the company to do it.

no not surprised at all…

That Anonymous Coward says:

Re: Re:

Now is that what he is really calling for, or is he instead calling for a contribution so he can get ready for 2012?

Sadly often a congress critter will jump on a topic and then sort of wander away after getting a little press. Nothing changed for the people who wanted the change to right some wrong… but maybe a check changed hands…

Cojeff says:

Re: Not me

I gave up on Sony when they did the rootkits. The only sony product I have bought is headphones. Other than that give the type of company Sony is I just don’t buy their products anymore.

I can’t believe (although not too surprised) that Sony got bit in the butt on this. When will companies learn to protect the data?

Anonymous Coward says:

Re: Re:

It still surprises me that people ignored the rootkit incident and continue to give this criminal organization money…

Especially people with that says something like “That’s it, I’ll start boycotting Sony now”.

This makes me want to ask “do you mean that the rootkit incident did not scare you?”.

Chargone (profile) says:

Re: Re:

my biggest problem is that i don’t want to boycot about half the developers who actually make games i like…

and unfortunately they insist on publishing only on the PS3 (or market it all for the ps3 and then quietly slip a 360 logo on the ‘released on this platform’ bit a month before the game comes out so you never know if it’s going to be on anything but the ps3 or not. (or randomly decide that from now on the series is going to be a Wii exclusive :S )

Christopher Weigel (profile) says:

I wonder...

What’s the typical cost to a company, in terms of class action damages, for failing to adequately protect user data in this manner?

Just thinking – if they were required to pay each victim (potentially every person who’s ever purchased a PS3) $200, which I figure is a reasonable if not slightly small number to pay for this sort of irresponsibility…

Well, they’ve sold, as of Dec 31 last year, 47.9 million PS3s. So that’s, ignoring 2nd-hand sales, 9.6 billion in damages.

…Sony made $893 net income in Q3 2010…

Anonymous Coward says:

Re: I wonder...

Nothing will happen to Sony. Nothing happened to them with all the other evils they perpetrated on their customers. This sounds like programming stupidity on Sony’s behalf. I bet this happened as a retaliation for them raiding Hotz house, seizing virtually everything including all his financial records, getting access to all his social media accounts so they can sue other people that looked at his hack, etc. As Nelson would say HA HA pointing at Sony. Nobody’s going to buy your junk tablets now!

Trails (profile) says:

Technical Common Practices With Passwords

Passwords should always be salted, hashed, hashed and then hashed (and possibly, for good measure, hashed). Even HBGary did better than this.

I’m really interested to find out what the tech details of the hack are. There’s speculation about hacked ps3 console, but even if that’s true, it belies bad security on the part of Sony. The three golden rules of client-server programming:
1. Don’t trust the client
2. Don’t trust the client
3. Don’t trust the client

Trails (profile) says:

Re: Re: Technical Common Practices With Passwords

I never said it’s all you have to worry about, but the security flaws I see in many client server apps amount to trusting the client.

“They’ll only pull up pages/records I give them links for!”
“The only possible values to come back in this field are the ones I’ve enumerated in the dropdown!”
“I’ll put the id of the organization the user belongs to in a cookie, nice and convenient!”

Anonymous Coward says:

I'm delighted at this news

Anyone who buys Sony products after the rootkit debacle is supporting the enemy, and DESERVES to have their identity stolen, their personal information misused, and their credit cards abused. I have no sympathy for them at all.

And as for Sony themselves, let’s hope the combined effect of the class action lawsuits is to permanently cripple them. Too bad the personal assets of the corporate officers can’t be targeted; they deserve to be bankrupt, homeless, and starving.

But I’m not bitter.

GunSheep (profile) says:

Re: Re: I'm delighted at this news

I think they deserved it. They went out and pissed off the most technically minded part of their customer base. Then they went after GeoHotz after that horse had left the barn and the barn had burned down…

I’m saying they deserved it and I have a Playstation 3. Luckily they didn’t get my CC information.

NotMyRealName (profile) says:

We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience.

We thank you for your patience as we complete our investigation of this incident, and we regret any personal economic disasters during which years could go by before you are financially stable enough to continue giving us your money.

FTFY

Capitalist Lion Tamer (profile) says:

I've got a PS3

and other than being told that I can’t connect to the PSN whenever I boot it up, I can’t say I’ve missed it. And good luck to the hackers. The only purchase I ever made was done using a PSN gift card. Enjoy my remaining $2.81!

Still, I’m saddened that I will be missing out on future episodes of the “The Tester.” It must have been quite the thing considering how often they shoved it in my direction while I browsed their store.

Vincent says:

wow

I’m not saying this couldn’t happen to MS but, this is why they have such strict hardware structure and their own servers that developers have to design their games to work on, if they want to be online compatible for downloads or online play. $60 a year doesn’t seem like so much, when you consider the security aspect of the service. Before you leave any negative comments, I’m perfectly aware that no network is hack proof. I’m just saying, it would be a little harder and less likely to happen.

Vincent says:

Re: Re: wow

Any hardware can be hacked but, what you can do with it, is another story. I’ve never heard of a hacked 360 accessing the live network. I’ve heard of people reformatting the system and installing lines or some other homebrew software nit, that’s as good as it gets. As for the Wii, have one in the house but I rarely touch it. It was a gift for my wife, I’m not a big fan of the system. Im not sure how secure the Wii is in comparison to the PS3 but, it seems just as open. I believe that’s why MS opted not to install a browser on their systems. It just leave too much open to be hacked. I’m sure they could have installed a separate drive or something for internet access and keep the gaming software separate, to avoid any issues but, how practical would that have been sand how expensive would that have been for us, as consumers.

Hiiragi Kagami (profile) says:

What a shame.

In the 80s, Sony was *the* name in electronics. Now, I wouldn’t touch a Sony product if they paid me. I’d like to know what happened to this company. I want to know why they felt it necessary to spy on its customers. I want to know why its products ensure we can’t do what we want with them, even if this action is illegal.

None of this is Sony’s responsibility. Given how their products have always been marked up to ridiculous levels (we paid for that brand name, damn it), I certainly can’t believe piracy was any issue that made their profits drop.

I’d say that honor went to LG, who not only undercut Sony’s prices, but did it with products people enjoyed.

No matter. They’ve lost me as a customer forever and there’s no mistaking how this is truly the lost sale Sony seemed to be so worried about.

Is irony to be taken with water?

Deirdre says:

I bought a Sony gizmo thing a couple of months ago– I wasn’t thinking, it was a Goldbox special on Amazon.

When I went to register it though there was a survey about Sony’s reputation. So I told them about how I stopped buying Sony CDs after the rootkit, I stopped buying Sony computers after a Viao that had to have two power sources replaced because whoever did the recall work put in the SAME DAMN PART– which borked my harddrive. Not to mention the Clie they stopped supporting immediately after I got it. I told them I was giving them one last chance with consumer electronics.

Looks like they are trying to do some market research on how people perceive them.

Butternuts says:

Too bad for Sony

Judging by all these comments an entire organization is under fire once again and most likely because a handful of their many people failed.

For their sake hopefully someone was just making a point or it was a smart moron that will get caught before any real damage happens but thats beyond wishful thinking this day and age.

Christopher Weigel (profile) says:

Re: Too bad for Sony

“Judging by all these comments an entire organization is under fire once again and most likely because a handful of their many people failed”

Judging by all these comments an entire organization is under fire once again and most likely because their corporate policies make them as user unfriendly as possible

FTFY. Sony has a history of stupid, customer-damaging moves, this is par for the course with them. Hopefully this one actually will come back and severely bite them in the ass.

slackr (profile) says:

Sad thing is...

the money heading down the toilet from this screw up would have better been invested in preventing it in the first place. Now they have a damaged reputation (again), 77 million pissed off loyal users, class action law suits, and they still have to fix that pesky problem. I’m not a rocket scientist but I’d say they’re doing things the hard way.

italian_reaper16 (profile) says:

ok seriously this is really late i just found this but people really need to calm down and sony is still better thaqn xbox x100% and i just needed to get this off my chest that every one marked anonymus seem very suspicious im sorry but seriously talking about how sony is a piece of sh** and X-Box is better have alot of problems im saying this though sony is not the only target im just saying that sooner or later microsoft will go down so dont think there fire wall is stronger than sony’s im not a hacker or anything im just another sony player who is p*ss*d off cause of who hacked sony but like i said dont think that sony is their only target!!!!!!!!!!

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...