Print 102 comment(s) - last by crazyblackman.. on Apr 29 at 11:58 PM

PlayStation Network customers have had their personal information and possibly credit cards stolen. Sony just now decided to tell them after six days of service outage for undisclosed reasons.
Playstation Network and billing system has been down for six days, company just now decide to let users know the worst

Sony Computer Entertainment America LLC has just announced some very bad news for Playstation Network (PSN) users (accessible via the PlayStation 3 and PSP) who have made purchases -- they have had their personal info and possibly credit card numbers stolen.

Writes Sony:
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
Sony contracted a cloud services provider, Qriocity to manage its customers' data.  Sound familiar?  That's not surprising.  In recent months email relationship firms Epsilon and SilverPop suffered similar data breaches, losing personal information of customers of Krogers, Walgreens, Best Buy, Chase Bank, and more.

But this recent breach is arguably the worse yet, given just how much data is said to have been stolen and the possibility that credit card data was stolen.

Sony states:
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience.
But, it writes that customers are now responsible for monitoring their credit card statements and credit stores to watch for any damage.  In short the message reads something like, "Sorry guys, but you're on your own now!"

According to outraged commenters the PSN has been down for six days now, but Sony is just now owning up to the fact that there was a massive security breach.  Secondary sources point to the network being down since at least April 21.

One must wonder how many more companies will see their customers violated before tech firms start to get the idea that handing valuable data to small third-party providers might not be the best idea.  It may be cheap, but as these recent incidents show, the utter lack of security and accountability can lead to many a nightmare.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Hashed Passwords
By lightfoot on 4/26/2011 7:52:52 PM , Rating: 1
I don't know why you would assume that. There is a significant difference between data being compromised and the hashing algorithm being compromised. Cracking the passwords from the hashes should also be pretty much impossible, since it is likely that some form of time sensitive salt was added to the password hash.

Why on earth would you assume anything wasn't compromised? They have already admitted to a MASSIVE data breach and their network is still down. They also don't appear to have audit trails of exactly what was breached. Assuming that they handled password security correctly is a huge assumption when it is clear that they weren't even handling credit card security correctly.

If you added a salt to the hashing algorithm it too would need to be stored (you must be able to duplicate the hash to validate that the password is correct.) This makes it more difficult to generate a lookup table of hashed passwords, but not impossible.

To unhash all of the passwords may be cost prohibitive, but only a single password needs to be compromised to be considered a breach.

We can continue making assumptions about how good their security should have been, but it's kind of moot given the fact that they have already been breached.

RE: Hashed Passwords
By donjuancarlos on 4/27/2011 9:12:59 AM , Rating: 2
Nah to all this password cracking stuff. My money is on social engineering. Some admin likely gave up his password or downloaded and ran an email attachement...

RE: Hashed Passwords
By lightfoot on 4/27/2011 12:18:54 PM , Rating: 2
Actually we are discussing how difficult it would be to extract all the user passwords from the database after the database was compromised.

We know that the system was compromised - Sony admitted as much.

The question is now that the system has been compromised what security did Sony have in place to protect sensitive user data?

Clearly the username and most customer details were stored as clear text in the system and have been compromised.

The credit card account numbers should have been stored using no less than 128-bit 3DES encryption according to the Payment Card Industry Data Storage Standard (PCI DSS.)

The discussion here is if the 3DES encryption was breached why some people assume that a more basic hashing algorithm was not. And if Sony was not using 128-bit 3DES for the credit card account numbers why would they assume that they were using a more secure system for the account passwords?

"The whole principle [of censorship] is wrong. It's like demanding that grown men live on skim milk because the baby can't have steak." -- Robert Heinlein

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki