Sony Admits That Playstation Hacker Got Tons Of Info, Including Passwords
from the this-is-what-you-get-with-a-company-that-rootkits-people dept
We had avoided discussing what was going on with the PlayStation Network hack and subsequent downtime until more details were known, and now Sony is finally revealing what many people feared: a ton of personal info was leaked. According to Sony's blog post, among the information that hackers got was:- Name
- Address
- Country
- Birthdate
- PlayStation Network/Qriocity password and login
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.You hear that sound? That's the sound of a whole bunch of class action lawsuits being filed against Sony as we speak. I'd like to say it's a huge surprise that Sony would even store passwords and credit card data in a place where it could easily be extracted like that, but it's really not. This, after all, is the company that made the word "rootkit" famous, and spent the last few months wasting more resources in a quixotic legal campaign against a guy who added back a feature to the PS3 that Sony had deleted. Perhaps if it spent a little more time actually protecting its users rather than fighting silly battles, there wouldn't be issues like this.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: credit cards, passwords, playstation, playstation network, security
Companies: sony
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
Rootkits in 85 on Audio CDs
Rootkits on PC games Currently ( SECUROM )
Then they use bait and switch marketing.
Their network is toast anyway!
Goodbye and Good Riddance Sony!
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Right now, it appears that they're saying some info from ALL of the PSN's users was compromised . . . that's a lot to check in one week, isn't it?
That being said, they could easily have started the week with: "We're afraid that some personal information could've been compromised".
[ link to this | view in thread ]
This once again shows...
Of course, it could also be for a money grab that just happened to coincide with the Geohot case.
[ link to this | view in thread ]
@fogbugzd - why would they? They denied the rootkit, they denied the theft of other peoples IP to make it, and when they got caught the response was to tap them on the wrist.
Nothing will happen to them, they will make some more "contributions" to the pocket congress critters. Then we will get more speeches about how you can not hold a "free" system as responsible as a pay system, and it is the fault of the consumer for not being more aware.
[ link to this | view in thread ]
Something that still baffles me is how can anyone "acquire" these passwords. Every novice computer security student knows that you should NEVER EVER store passwords.
You store a hash value of that password and some salt (http://en.wikipedia.org/wiki/Salt_%28cryptography%29).
Such a big company (which, incidentally, has a big target painted on it) should know this and implement this. But I guess it is just cheaper to have a code monkey slap together a server in a week and the just "sort out" the quirks of the system as they show up.
[ link to this | view in thread ]
Re:
http://en.wikipedia.org/wiki/Salt_%28cryptography%29
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Meh
[ link to this | view in thread ]
Sony has a game console?!
[ link to this | view in thread ]
Re: Re:
Bingo. That should have been their first thought.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Not me
I can't believe (although not too surprised) that Sony got bit in the butt on this. When will companies learn to protect the data?
[ link to this | view in thread ]
I wonder...
Just thinking - if they were required to pay each victim (potentially every person who's ever purchased a PS3) $200, which I figure is a reasonable if not slightly small number to pay for this sort of irresponsibility...
Well, they've sold, as of Dec 31 last year, 47.9 million PS3s. So that's, ignoring 2nd-hand sales, 9.6 billion in damages.
...Sony made $893 net income in Q3 2010...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: I wonder...
[ link to this | view in thread ]
"U.S. residents "
And then you wonder why governments make laws and regulations forcing companies to do something.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Sadly often a congress critter will jump on a topic and then sort of wander away after getting a little press. Nothing changed for the people who wanted the change to right some wrong... but maybe a check changed hands...
[ link to this | view in thread ]
ouch
[ link to this | view in thread ]
And this little piggy...
Sony, the one and lonely!
Karma, the multi-platform real life game that requires no rootkit, or even your explicit permission, you're playing whether you like it or not! Sony, you lose!
[ link to this | view in thread ]
Technical Common Practices With Passwords
I'm really interested to find out what the tech details of the hack are. There's speculation about hacked ps3 console, but even if that's true, it belies bad security on the part of Sony. The three golden rules of client-server programming:
1. Don't trust the client
2. Don't trust the client
3. Don't trust the client
[ link to this | view in thread ]
I'm delighted at this news
And as for Sony themselves, let's hope the combined effect of the class action lawsuits is to permanently cripple them. Too bad the personal assets of the corporate officers can't be targeted; they deserve to be bankrupt, homeless, and starving.
But I'm not bitter.
[ link to this | view in thread ]
Re:
Is it 1985? CDs were only invented in 1984 and I can assure you that PCs didn't even have CD drives until about 1998.
The Sony Rootkit scandal was in 2005.
http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
So....
It comes with games, controllers, and a hacked account.
[ link to this | view in thread ]
Re:
they are just coming out of stage 1 of sony Standard Operating Procedure and are getting ready for stage 2:
http://www.penny-arcade.com/comic/2005/07/20/
[ link to this | view in thread ]
hahaha
[ link to this | view in thread ]
Richard Blumenthal
Please bear in mind, this is the same Blumenthal that was and Attorney General fighting against Backpage and Craigslist.
He can demand answers, but I most certainly do not trust him...
[ link to this | view in thread ]
Re: Re:
ummm soooo they went back in time for the first album release on cd which was in 82?
[ link to this | view in thread ]
We thank you for your patience as we complete our investigation of this incident, and we regret any personal economic disasters during which years could go by before you are financially stable enough to continue giving us your money.
FTFY
[ link to this | view in thread ]
Re: "U.S. residents "
[ link to this | view in thread ]
Playstation
[ link to this | view in thread ]
I've got a PS3
Still, I'm saddened that I will be missing out on future episodes of the "The Tester." It must have been quite the thing considering how often they shoved it in my direction while I browsed their store.
[ link to this | view in thread ]
Re: Playstation
[ link to this | view in thread ]
Re: I've got a PS3
Name, Location, etc.
[ link to this | view in thread ]
Re: Richard Blumenthal
[ link to this | view in thread ]
Re: Technical Common Practices With Passwords
Really though, it's more than just the client you have to worry about.
[ link to this | view in thread ]
ONLY
DOES
...
$@#%@!
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: So....
[ link to this | view in thread ]
Re: So....
If I can't install OtherOS or equivalent on it, I don't want it.
[ link to this | view in thread ]
wow
[ link to this | view in thread ]
Re:
Especially people with that says something like "That's it, I'll start boycotting Sony now".
This makes me want to ask "do you mean that the rootkit incident did not scare you?".
[ link to this | view in thread ]
Re: I wonder...
Unlike sharing music this *does* hurt the person who'se information was shared.
[ link to this | view in thread ]
Re: wow
[ link to this | view in thread ]
Re:
and unfortunately they insist on publishing only on the PS3 (or market it all for the ps3 and then quietly slip a 360 logo on the 'released on this platform' bit a month before the game comes out so you never know if it's going to be on anything but the ps3 or not. (or randomly decide that from now on the series is going to be a Wii exclusive :S )
[ link to this | view in thread ]
Re: ouch
they can be just as evil or just as stupid. (though they seem good at not being evil and stupid at the same time, usualy. unlike sony.)
[ link to this | view in thread ]
Re: Re: Technical Common Practices With Passwords
seems like trusting the Client is less akin to missing a possible entry point when booby trapping a house and more saving the assasin the trouble of getting in by wearing a target over your face and standing in the middle of the street.
[ link to this | view in thread ]
Re: Re: wow
[ link to this | view in thread ]
What a shame.
None of this is Sony's responsibility. Given how their products have always been marked up to ridiculous levels (we paid for that brand name, damn it), I certainly can't believe piracy was any issue that made their profits drop.
I'd say that honor went to LG, who not only undercut Sony's prices, but did it with products people enjoyed.
No matter. They've lost me as a customer forever and there's no mistaking how this is truly the lost sale Sony seemed to be so worried about.
Is irony to be taken with water?
[ link to this | view in thread ]
Re: What a shame.
[ link to this | view in thread ]
Re: What a shame.
[ link to this | view in thread ]
Re:
I'll guess that has been patented
[ link to this | view in thread ]
Re: I'm delighted at this news
Ignorance is no excuse. However, claiming they deserve whatever is just plain mean. That horse upon which you sit is rather high.
[ link to this | view in thread ]
Re: Re: I'm delighted at this news
I'm saying they deserved it and I have a Playstation 3. Luckily they didn't get my CC information.
[ link to this | view in thread ]
Re:
Tablets and smart phones are probable going to destroy the handheld market over the next couple years. Much in the same way that cellphones with video cameras destroyed the cheap video camera market.
[ link to this | view in thread ]
When I went to register it though there was a survey about Sony's reputation. So I told them about how I stopped buying Sony CDs after the rootkit, I stopped buying Sony computers after a Viao that had to have two power sources replaced because whoever did the recall work put in the SAME DAMN PART-- which borked my harddrive. Not to mention the Clie they stopped supporting immediately after I got it. I told them I was giving them one last chance with consumer electronics.
Looks like they are trying to do some market research on how people perceive them.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: I'm delighted at this news
[ link to this | view in thread ]
Mailman does the same
[ link to this | view in thread ]
Yallabid- Online Auction
[ link to this | view in thread ]
Yallabid- Online Auction
[ link to this | view in thread ]
Re: Sony has a game console?!
And paying $60/year to do it. Thanks, I'll take free online and the occasional screw-up instead.
[ link to this | view in thread ]
Re: Re: Sony has a game console?!
[ link to this | view in thread ]
Re:
The only people "trembling" are the Sony execs who will lose money over this - not just due to the loss of direct income (why buy a new game to play on line this month?) but income from other services that lose their appeal to customers as they realise how fragile cloud-based content actually is (Qriocity, Netflix and other services that require a valid PSN account, games whose DRM moronically calls home even for a single player game).
[ link to this | view in thread ]
Re: "PlayStation Network/Qriocity password and login"
having worked for a big company in the tech industry I can honestly say the tech department usually is under-funded and over-worked, and everything you do has to be justified. Hell, sometimes the tech department cant even get and keep valid certs for their sites depending on how incompetent their management is, and how lazy their tech department is.
so no, not surprised they were doing the less safe option.
not at all.
I've seen it take an entire section of business with millions of customers losing business for more than 2 weeks for a big company to finally make needed changes just to mirror their freaking sites. simple thing that makes sites continue to function when attacked, but it took millions of dollars lost in order to get the company to do it.
no not surprised at all...
[ link to this | view in thread ]
Re: Re: Technical Common Practices With Passwords
"They'll only pull up pages/records I give them links for!"
"The only possible values to come back in this field are the ones I've enumerated in the dropdown!"
"I'll put the id of the organization the user belongs to in a cookie, nice and convenient!"
[ link to this | view in thread ]
Too bad for Sony
For their sake hopefully someone was just making a point or it was a smart moron that will get caught before any real damage happens but thats beyond wishful thinking this day and age.
[ link to this | view in thread ]
Re: Too bad for Sony
Judging by all these comments an entire organization is under fire once again and most likely because their corporate policies make them as user unfriendly as possible
FTFY. Sony has a history of stupid, customer-damaging moves, this is par for the course with them. Hopefully this one actually will come back and severely bite them in the ass.
[ link to this | view in thread ]
Re: Re: wow
[ link to this | view in thread ]
[ link to this | view in thread ]
Sad thing is...
[ link to this | view in thread ]
[ link to this | view in thread ]