It's Official - 77 Million PSN User Details Stolen

[tjcampbell]

Sony now admits with more detail that,

"A hacker broke into the PlayStation video game online network and stole names, addresses and possibly credit card data belonging to 77 million people.
It is believed to be one of the biggest-ever internet security breaches of its kind...." (click link to read more)

http://news.sky.com/skynews/Home/Te...work_And_Steals_Details_Of_Millions_Of_Gamers

 

[alukado]

Been following this closely over the past week, wake up this morning to see its the news story after the f'in Royal Wedding with the BBC calling it the biggest online fraud ever... jeezus.

BBC News - PlayStation hacker took user info

 

[MRU]

Makes me glad I paid €49.99 for ps+.... Oh wait..

It's the level of the info stolen which is worrying. Forget your CC as that can be replaced by the issuer. It's your date of birth, address, contact numbers, email etc, that a real kick in the nuts. Scammers have enough info to make a wide variety of identity thefts for years to come.

How all this info was stored in one place rather than segmented is a major security flaw in itself. Like leaving your car keys in the ignition.

It's a major **** up and we have the right to be unimpressed. Regardless that it was a malicious hack, the fact that this level of info was taken, and it's 9 days since the attack and were still waiting for the email clarification of this boob is testament to the level of arrogance Sony has shown to playstation owners this generation...

Annoyed PS owner !!!!

 

[peskaa]

MRU, the latest update is that Sony weren't aware of the data theft until recently - not the full 9 days. They hired an external company to assess the situation, and they were the ones who found out about the loss. So potentially it could have only been a day or two delay before they issued the notice.

http://blog.eu.playstation.com/2011/04/27/clarifying-a-few-psn-points/

Of course it doesn't speak well of Sony that they don't have the skills to check their own network for theft properly.

 

[naths]

sony playstation network data theft!!!!

around 70 million!!!!.....wow!!!
http://www.telegraph.co.uk/technolo...sive-PlayStation-Network-user-data-theft.html

 

[-SD-]

I phoned my bank this morning and cancelled the Debit Card that's linked to my PSN account. I would suggest everyone else does the same.

 

[roadbloc]

Sony are gonna get their asses sued at some point during all this. Who in the hell coded PSN? A group of 8 year olds? Pathetic.

 

[MRU]

MRU, the latest update is that Sony weren't aware of the data theft until recently - not the full 9 days. They hired an external company to assess the situation, and they were the ones who found out about the loss. So potentially it could have only been a day or two delay before they issued the notice.

http://blog.eu.playstation.com/2011/04/27/clarifying-a-few-psn-points/

Of course it doesn't speak well of Sony that they don't have the skills to check their own network for theft properly.

Whilst partially true I know.....

I find it skeptical that 'their difference in timing' as they put it - also coincidentally happens to have been 'after' they had announced their two playstation branded tablets at a media event.....

Surely they knew enough of this PR disaster to cancel / hiatus that media event and give us this information that bit sooner.


I'm not worried so much about my CC details, its the fact all our other data including passwords were all stored in a standard text documents together ? (according to EG article). I mean there is a lapse in security on monolithic proportions there. Even a lobotomized chimp wouldn't keep his 'pin number' next to his credit card, inside his open car with the key in the ignition, with the garage door barley closed, and his passport and birth certificate in the glove compartment....

 

[Mac-Rumours]

Makes me glad I paid €49.99 for ps+.... Oh wait..

It's the level of the info stolen which is worrying. Forget your CC as that can be replaced by the issuer. It's your date of birth, address, contact numbers, email etc, that a real kick in the nuts. Scammers have enough info to make a wide variety of identity thefts for years to come.

How all this info was stored in one place rather than segmented is a major security flaw in itself. Like leaving your car keys in the ignition.

It's a major **** up and we have the right to be unimpressed. Regardless that it was a malicious hack, the fact that this level of info was taken, and it's 9 days since the attack and were still waiting for the email clarification of this boob is testament to the level of arrogance Sony has shown to playstation owners this generation...

Annoyed PS owner !!!!

If they'd taken George Hotz to the HR department instead of court maybe he could've secured their servers as well as their PS3?

 

[0098386]

Ridiculous. They've got a lot to make up for. Had to order a new debit card and I won't be putting the details of this one on PSN for a long time.

So annoying too. I've been wanting to pick up some PSN games (MGS, Street Fighter Alpha 3 and such).

 

[Taustin Powers]

Freaking hackers. Should have bought PacMac when I was thinking about it last week.

I am curious if this "intrusion" was made possible by GeoHotz's work.

Unlikely, I guess, but since there was a CFW out that could bypass security measures on PSN to steal retail content, I would not rule it out.

If that is the case, I would imagine the number of PS3-users supporting this idiot and his heroic actions must be shrinking at a dramatic rate.

 

[e²Studios]

Freaking hackers. Should have bought PacMac when I was thinking about it last week.

I am curious if this "intrusion" was made possible by GeoHotz's work.

Unlikely, I guess, but since there was a CFW out that could bypass security measures on PSN to steal retail content, I would not rule it out.

If that is the case, I would imagine the number of PS3-users supporting this idiot and his heroic actions must be shrinking at a dramatic rate.

This intrusion would not be possible without Geohotz work, he made it possible for these people to create and use the custom firmware that did this.

Sony still hasn't admitted they lost CC data, they have only admitted to losing name/email/DOB/address. In the US without a SSN most of that information wouldn't be good for much more than spamming. You can't apply for or get credit without a SSN, which PSN never asked for. This isn't to say they can't start phishing for it, idiots are a dime a dozen out there.

I cancelled and had the CC reissued that was attached to my PSN account just to be safe. By law in the US if a company loses your CC information they must report it to all banks affected, those banks will in turn automatically cancel and reissue cards.

I've seen a few people saying their cards have fraudulent charges, and I think we may see that a few more times. However you can't say for sure its from PSN since your card is far more likely to get copied at a POS terminal than it is stolen from PSN. Until Sony admits to losing CC data (Which they have not), and reports it to banking institutions they are just advising customers to take action. Keeping your client data in a big database isn't uncommon, it wasn't in a text file, thats just not effective business wise. This isn't the first company to have this happen to them, and its probably not the last, I am not giving Sony excuses with these statements, don't get me wrong.

I'm sure there will be agencies that are looking in to this, they haven't exactly handled it very well. The lack of keeping the consumers updated was the part that bugged me from the very start. Keeping consumers in the dark never works out well for companies.

From Sony on the CC issue, I never have liked how vague they have been with this issue. They are not admitting to losing CC info, but they are not denying it either, which I'm sure is for legal reasons if they find out later otherwise.

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

 

[MRU]

In the US without a SSN most of that information wouldn't be good for much more than spamming. You can't apply for or get credit without a SSN, which PSN never asked for. This isn't to say they can't start phishing for it, idiots are a dime a dozen out there..

Sadly the same isn't true here. With that information one could easily screw things up big time for you.

 

[GFLPraxis]

I really hope CC information hasn't been stolen. >_<

I really, really don't want to contact the city/utilities department/cell provider/ISP and have them all change my account number.

 

[GFLPraxis]

This intrusion would not be possible without Geohotz work, he made it possible for these people to create and use the custom firmware that did this.

Agreed. That said, this was a really, really stupid security model on Sony's part if their entire network security scheme worked on the assumption that the user's local devices were secured, and would let them access anything they wanted if the assumed-secured device asked for it right.

 

[peskaa]

Well, the card details were all encrypted according to Sony's newest update, and weren't nicked. So anybody crying credit card fraud has been diddled from another source, not the PSN leak.

 

[Nuck81]

It's the level of the info stolen which is worrying. Forget your CC as that can be replaced by the issuer. It's your date of birth, address, contact numbers, email etc, that a real kick in the nuts. Scammers have enough info to make a wide variety of identity thefts for years to come.

More information can be found on the average Facebook page, not to mention the phone book.

I've been flabbergasted by the amount of fear mongering and ignorance this situation has created. I'm checking my online banking twice a day (something I've always done anyway) but I'm no more concerned about my family being murdered, the moon falling out of orbit, my PSN created clone living the rest of my life, and dogs and cats living together than I am about how to spend the Lottery money I've never won.

A little common sense goes a long way....

 

[fsck-y dingo]

Just wanted to share my recent experience.

I was at Target picking up a few items today. When I swiped my card it was declined. I knew there was enough credit for what I was getting so I asked them to put my things aside and I'll be back. I called my credit card company and instead of the usual recorded account info (balance, last payment, etc) it said please hold to be connected to a representative.

The man who received my call verified my security information and then told me the card I have is being watched due to suspicious activity. There were several charges made to people's names. All the amounts are for $20.01 and the person on the phone said they've been seeing a lot of fraudulent charges in this amount.

So, he was nice enough to stay on the phone while I walked back into Target so today's charge could be approved. The next step is waiting for the fraud report and new card. Oh, the fun.

I can't say for sure if it has to do with Sony but the timing is right. I've only purchased one downloadable game, but that's all it takes. Make sure to keep an eye on your statements for odd purchases.

 

[peskaa]

I can't say for sure if it has to do with Sony but the timing is right. I've only purchased one downloadable game, but that's all it takes. Make sure to keep an eye on your statements for odd purchases.

It isn't to do with Sony. The card details on PSN were a) encrypted and b) not stolen. You were unfortunately simply victim to good 'ol card fraud from another source.

 

[fsck-y dingo]

It isn't to do with Sony. The card details on PSN were a) encrypted and b) not stolen. You were unfortunately simply victim to good 'ol card fraud from another source.

I can accept that as one very likely possibility. However, I don't put much stock in what companies say these days. I'm certainly not going to tell people it definitely is related to the Sony issues going on but lets be honest, you can't rule it out. I'm sure they thought their console's root key was secure but we all know that's wrong.

The email Sony sent out even says they aren't sure. Here's part of the email I was sent:

"While there is no evidence at this time that credit
card data was taken, we cannot rule out the possibility. If you have
provided your credit card data through PlayStation Network or Qriocity,
out of an abundance of caution we are advising you that your credit
card number (excluding security code) and expiration date may have
been obtained."

I'd think it's difficult to definitively say that it wasn't due to this problem. If the database was encrypted anything like the root key then I'm not confident in Sony's word at all. Even if this information was properly encrypted that doesn't mean it can't be broken.

 

[0098386]

I'm keeping a closer eye on my account. It'd be very interesting if that happened to me also since I don't use the card I used for PSN for anything, ever. It's an age old account I had since secondary school for savings. The card was complimentary and I put it on PSN and Steam and use regular online banking with that account to send money to other people. And I'm really good at keeping myself safe and secure.

If anything happens with this account then it's either the fault of Steam or PSN. But so far there we're problem free.

But I'm quite interested to see if I get any funny phonecalls! I'm not listed in the phonebook and again... I keep myself safe online. When companies ask for my phone number I use my old mobile number. So hopefully I'll be able to tell off some cold callers .

They better give us some free stuff though. Even if it's just to stress test their new PSN network. And we better get a choice! If it's a PS3-only gift then they can swivel.

 

[peskaa]

I can accept that as one very likely possibility. However, I don't put much stock in what companies say these days. I'm certainly not going to tell people it definitely is related to the Sony issues going on but lets be honest, you can't rule it out. I'm sure they thought their console's root key was secure but we all know that's wrong.

The email Sony sent out even says they aren't sure. Here's part of the email I was sent:

"While there is no evidence at this time that credit
card data was taken, we cannot rule out the possibility. If you have
provided your credit card data through PlayStation Network or Qriocity,
out of an abundance of caution we are advising you that your credit
card number (excluding security code) and expiration date may have
been obtained."

I'd think it's difficult to definitively say that it wasn't due to this problem. If the database was encrypted anything like the root key then I'm not confident in Sony's word at all. Even if this information was properly encrypted that doesn't mean it can't be broken.

Ah yes, but that's an older update. The latest says:

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

This also has very little to do with the root key.

 

[MRU]

More information can be found on the average Facebook page, not to mention the phone book.

I've been flabbergasted by the amount of fear mongering and ignorance this situation has created. I'm checking my online banking twice a day (something I've always done anyway) but I'm no more concerned about my family being murdered, the moon falling out of orbit

Well if your checking your bank account twice a day (OCD hello) then your hardly going to be worried, however most of us do not I would safely hazard a generalisation.

Also whilst many can have their details on facebook, there is the option of selecting whether this information is available or not. I choose not to share any personal information of this sort. I do not have that choice with the Sony breach.

 

[GFLPraxis]

This also has very little to do with the root key.

I've heard a lot of speculation that it does, actually. There's a custom PS3 firmware made possible with the root key that lets you give yourself developer access to PSN and then lets you 'purchase' without any money as many PSN games as you want. It's called Rebug- you can google it and download it yourself, though it won't do you much good with PSN down.

It's not a stretch to think someone just took that firmware one step further.

Honestly, I suspect that Sony put all their security in to the PS3 itself, and then made PSN dependent on assuming that any communications coming from the PS3 were secure. Once the PS3 was cracked, people could connect to PSN and do anything they wanted once they figured out how to.

 

[jaw04005]

PSN being down for almost two weeks is crazy. I can't believe they haven't at least put it back up with limited services. Even if Sony had to start from scratch and migrate trophy and purchases data over, at least that would be a start.