Print 102 comment(s) - last by crazyblackman.. on Apr 29 at 11:58 PM

PlayStation Network customers have had their personal information and possibly credit cards stolen. Sony just now decided to tell them after six days of service outage for undisclosed reasons.
Playstation Network and billing system has been down for six days, company just now decide to let users know the worst

Sony Computer Entertainment America LLC has just announced some very bad news for Playstation Network (PSN) users (accessible via the PlayStation 3 and PSP) who have made purchases -- they have had their personal info and possibly credit card numbers stolen.

Writes Sony:
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
Sony contracted a cloud services provider, Qriocity to manage its customers' data.  Sound familiar?  That's not surprising.  In recent months email relationship firms Epsilon and SilverPop suffered similar data breaches, losing personal information of customers of Krogers, Walgreens, Best Buy, Chase Bank, and more.

But this recent breach is arguably the worse yet, given just how much data is said to have been stolen and the possibility that credit card data was stolen.

Sony states:
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience.
But, it writes that customers are now responsible for monitoring their credit card statements and credit stores to watch for any damage.  In short the message reads something like, "Sorry guys, but you're on your own now!"

According to outraged commenters the PSN has been down for six days now, but Sony is just now owning up to the fact that there was a massive security breach.  Secondary sources point to the network being down since at least April 21.

One must wonder how many more companies will see their customers violated before tech firms start to get the idea that handing valuable data to small third-party providers might not be the best idea.  It may be cheap, but as these recent incidents show, the utter lack of security and accountability can lead to many a nightmare.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Meh
By Solandri on 4/27/2011 3:11:14 AM , Rating: 2
When they say logins and passwords were stolen, they're talking about the password file. The way you're supposed to store logins and passwords is with a one-way hash. That's a one-way mathematical function which turns "username" into encrypted gibberish (the hash). But only "username" will make that specific hash, and there's no known mathematical way to convert that hash back to "username". You store the hash (the encrypted gibberish) in the password file, instead of the actual login and password. When a user tries to login, you run the hash on what they type, and compare that hash to your stored hash to see if it matches.

So assuming they built their system competently, the logins and passwords should be safe even if the password file was stolen. However, although there's no known mathematical way to reverse the hash, there's always the possibility that some criminal genius has figured out some new way to do it. And with sufficient computing power, you can build a hash table (run the hash algorithm on every possible letter/number combo) for all usernames/passwords less than (say) 6 characters. Then it becomes a simple matter of looking up the hash and matching it up with the login or password. So it's still recommended that you change your password.

(This is why dictionary words are very poor passwords. There are trillions of letter/number combos that can make something the length of a typical password. Building up a hash table for all those possibilities is virtually impossible. But there are only a few tens of thousands of words in the dictionary. Building a hash table for all of them is trivial.)

"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki