Print 54 comment(s) - last by Moishe.. on May 2 at 4:31 PM

2.2 million users' cards are reportedly in the database

Millions of customers were shocked to hear Sony Computer Entertainment America LLC (U.S.) and Sony Computer Entertainment Europe (EU) had lost their personal information -- name, username, password, address, birth date, and password recovery question -- and, more importantly, that it potentially lost their credit and debit cards as well.

Sony wrote:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

It essentially then went on to tell people that they were on their own and that it was customers' own responsibility to protect themselves from credit fraud.

Now it appears the worse case scenario is indeed playing out -- according to recent forum posts, a database with "a large section of the PSN database containing complete personal details along (with credit card numbers)...are being offer (sic) up for sale."

Security researcher Kevin Stevens has witnessed malicious hackers discussing the supposed database.  He posted to Twitter, "Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date," adding, "it is not a rumor, it was a conversation on a criminal forum."

If someone gains access to this database, it would be easy to issue hundreds of millions of fraudulent charges.  Such charges can put a black mark on your credit score.

Famed hardware jailbreaker George "GeoHot" Hotz chimed in on the reports, writing, "I sure am glad I don’t have a PSN account about now."

In his blog he adds:

And to anyone who thinks I was involved in any way with this, I'm not crazy, and would prefer to not have the FBI knocking on my door. Running homebrew and exploring security on your devices is cool, hacking into someone elses server and stealing databases of user info is not cool. You make the hacking community look bad, even if it is aimed at douches like Sony.


...the fault lies with the (Sony) executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.

GeoHot, a self-admitted one-time victim of identity theft, isn't a huge fan of Sony.  He recently settled with the electronics giant in a lawsuit over his jailbreak of the PS3.  Reportedly, GeoHot essentially scored a big win with the settlement, though precise details haven't been revealed.

The attacks came soon after the settlement.  While few suspected GeoHot, some do suspect that members of the loosely organized hacker group Anonymous -- a group which supported GeoHot during the Sony legal battle (without his endorsement) -- might have been involved.

Regardless, this is bad news for Sony and worse news for its customers.  If you have a credit or debit card that you know is filed with service, you might want to talk to your bank about changing your number as soon as possible.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By BigDH01 on 4/29/2011 9:54:08 AM , Rating: 2
Yep. As some pointed out, Sony's comments indicate that it used hashing to encrypt its records, but gave no indication that it was applying a salt to its hash. Without such a salt it should be well within the reach of savvy hackers to reverse the encryption.

One, CC numbers wouldn't be hashed... it would defeat the purpose. They are encrypted, but not one-way hashed. Hacker would need encryption key and method (probably 3DES). This is not easy to reverse by any means without those items.

Two, hashes are not, by any means, easy to reverse even without using a salt (as long as they are using SHA1 or better). The salt is merely there to force the hacker to look for collisions for each individual record instead of using a rainbow table.

By mcnabney on 4/29/2011 10:06:41 AM , Rating: 3
Credit card numbers are the LEAST of the worries of PSN users. I would be much more concerned if my username, email address, and PASSWORD got out, as should many people. How many other websites and accounts will users select the same email address and the same/similar password? That allows the thieves into other online sellers (like Amazon) and financial accounts (like banks and retirement accounts). Not to mention passwords also used to access systems at their employers. If I had a PSN account, I would be getting new credit card numbers and changing passwords for everywhere I have been online. A huge pain in the ass.

By MrTeal on 4/29/2011 10:30:11 AM , Rating: 5
No one should be be using universal passwords for important accounts. I have a separate PW for my two main email accounts, for my online banking, for paypal, and for eBay. Then there's a couple secondary level passwords for things that are somewhat important but that wouldn't cost me anything if they got hacked. Lastly, I have a couple generic ones for places like DT.

That's the problem with so many sites that really shouldn't require passwords doing so, and many of them requiring convoluted 8 character, mixed upper/lowercase, some special characters, etc. When sites like DT or other random forums require users to use really strong passwords, they just end up using the same password they use for their bank account. As much as they might like to think they are, most places on the internet aren't that important. :P

By callmeroy on 4/29/2011 11:59:10 AM , Rating: 2

I'll admit I do have a generic password I share with all my mundane accounts -- forums (like this and various other ones i participate in) , some free game accounts use the same passwords...but...

My banking, mortgage and retirement accounts...completely unique and a mix of upper lower case symbols and numbers...

So if someone hacks my mundane account that's just annoying there's no "real" data linked to those accounts....

If someone hacks the banking one...well then that would suck...but that's why its a strong pw and I'm fanatical about what goes on my computers and how often its scanned for malware/viruses/etc.

"You can bet that Sony built a long-term business plan about being successful in Japan and that business plan is crumbling." -- Peter Moore, 24 hours before his Microsoft resignation

Latest Headlines
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Most Popular ArticlesSmartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
UN Meeting to Tackle Antimicrobial Resistance
September 21, 2016, 9:52 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki