PlayStation Network hacked: Personal data of up to 70 million people stolen

Filed Under: Data loss, Malware, Spam, Vulnerability

PlayStation NetworkUsers of Sony's PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of video game players.

The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the personal data of online gamers.

In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:

    * Name
    * Address (city, state, zip code)
    * Country
    * Email address
    * Date of birth
    * PlayStation Network/Qriocity password and login
    * Handle/PSN online ID

Sony statement

In addition, Sony warns that profile information - such as your history of past purchases and billing address, as well as the "secret answers" you may have given Sony for password security may also have been obtained.

As if that wasn't bad enough, Sony admits that it cannot rule out the possibility that credit card information may also have been compromised:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.

So how could hackers exploit the information stolen from the Sony PlayStation Network?

1. Break into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts - and potentially cause a bigger problem for you.

So you should always use unique passwords.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Oh, and you better be sure that you have changed your "secret answers" too.

2. Email you phishing scams or malware attacks. If they stole your email address from Sony, they can now email you. And it wouldn't be difficult for the cybercriminals to create an email which pretended to be a legitimate organisation (perhaps Sony themselves?) to steal more information or carried a Trojan horse designed to infect your computer. The fact that they know your name and snail-mail address could make the email even more convincing.

3. Hit you in the wallet. If your credit card details have been exposed by the Sony PlayStation Network hack then you could find fraudsters begin to make purchases from your account - if you notice that money is missing, you'll have to go through the rigmarole of claiming the money back from your credit card company.

Sony controllerThis security breach is not just a public relations disaster for Sony, it's a very real danger for its many users.

If you're a user of Sony's PlayStation Network now isn't the time to sit back on your sofa and do nothing. You need to act now to minimise the chances that your identity and bank account becomes a casualty following this hack.

That means, changing your passwords, auditing your other accounts, and considering whether you should keep a closer eye on those credit card statements or simply telling your bank that as far as you're concerned the card is now compromised.

Should you cancel your credit card?

Look at it this way.

Cancel credit card

If I lost my credit card in the back of a taxi I would cancel my card. I wouldn't wait for a fraudster to sting it for cash. If Sony has lost your credit card details then it's worse as the credit card information is now being held digitally, right in the hands of people best placed to exploit it.

So, yes. I would cancel my credit card.

More information can be found in Sony's blog post and in their FAQ.

Update: Sony has now said that the credit card data was encrypted, but questions still remain about the strength of that encryption.

, , , ,

You might like

23 Responses to PlayStation Network hacked: Personal data of up to 70 million people stolen

  1. sean whittaker · 1220 days ago

    but i thought the hackers said that they where only hacking sony for revenge because of legal action taken to geohotz and they said that they wouldn't do anything to the customers‚ only sony...

    and btw gr8 utube vid

  2. Josh · 1220 days ago

    Indeed that is what anon said Sean... =/

  3. paul · 1220 days ago

    "but i thought the hackers said"

    **key phrase**, never combine "thought" and "hackers said" in the same sentence for one "thought" means you could be wrong; "hackers said" is about 90% falsity. Why trust some one who just had to break the law to get the change to get your info?

  4. Jacob · 1220 days ago

    It's not related to Anonymous. Nor has it anything to do with GeoHotz. It is a separate incident.

  5. mason · 1220 days ago

    glad i dont have a PS3 or anything like that.

  6. Aaron · 1220 days ago

    I'm hearing a lot of claims from people in the wake of this that Microsofts Xbox Live service is a lot more secure than the PSN. Is there really any reason to believe that this is true?

    • Bcr · 1220 days ago

      Nope, Xbox live is also hacked in the past, so it's complete nonsense.

  7. cobalt · 1220 days ago

    I think that group of hackers lost interest and this was a different one. First they don't make the ps3 play older games and now they lose info on a ton of people plus they owe money to everyone with the various paid memberships to the network, netflix, and online games. They're going to end up like Sega and just make games soon.

    • dwc1980 · 1220 days ago

      My PS3 plays PS2 and PS1 games.

      Everyone is at risk from hackers however good your security is, these dicks dont have any life other than in the "cyber-world" or whatever they like to think they are. Geeks if you ask me.
      Nothing better to do than to ruin other peoples fun.
      They should get a life, and a girlfriend, and a job.

  8. mahen23 · 1220 days ago

    i believe that one of the anon hackers was not a good hacker and took advantage of the situation.

    • carl Blackett · 1220 days ago

      One of the anonymous hackers was not a good hacker???

      Taking away the sensationalism of Hollywood, is there such a thing???

  9. Joe Scott · 1220 days ago

    Bad form Sony. Almost a week after it started and you're making such a statement now? Don't use my PS3 often but have bought a few items from the store. Can't remember if I stored by details but can't check because the service is down!

  10. msryasly · 1220 days ago

    They all got hacked nothing got away from hackers

  11. Oliver · 1220 days ago

    Great write up, I've been trying to spread the word on Twitter.

  12. Max · 1220 days ago

    Two things really steam me about this situation:
    1) Maybe it did take a week to figure out the scope of the breach and data affected - BUT, I would be less angry if they had said up front that user info/CC data *may* have been leaked
    2) They, like some others, insist on having user CC info on file even if you don't expect to make a purchase

    BTW, if Sony is correct when stating that IF the CC info was taken, the CCV (3-digit security code from the back of the card) was not. In that case, the author's examples of loaning the card to a friend or leaving it in a taxi then are not good analogies to use as a basis for asking the bank for a new card. Are there any retailers who will accept CC number and expiration without the CCV for virtual or phone checkout?

    Also, out of curiosity, does anyone know how PSN members are able to comment on the PSN blog when it requires login and the network is still down?

  13. paul · 1220 days ago

    good one that - been wondering as I cannot enter on the PSN blog and am a PSN member,

    As for Anon - they are black hat - sorry - not shiny white hat, not script kiddie either and they have not "home brewed" a thing for older games.

    the only thing they have been helping with is the effort to bypass secruity and get to the kernal and the playstation network.

    I may be old school (and am an end user/gamer- so not in the biz) I tend to look at it this way.

    If there is a law against burglury , and I put locks on my house, and put new locks on it every few months- and people get breaking in- why is it MY fault?

    If you listen to the comments- and then look at the patch after patch and see the concerted effort by the hackers to bypass the "locks" to steal- so whose fault for illegal activity? yeah I'm old school - maybe too ethical for today.

  14. Alex · 1220 days ago

    Why does Sony need your date of birth? Most of the info they request is too much, give as little info as you can same as good programming, give the apps as few permissions as possible. As a user if they ask for too much, complain or dont use the service.

  15. StarBaseONE2 · 1219 days ago

    I'm well into my ITCNS program of study. The light came on almost a year ago ie... the term "Data Security" had to have been coined by a marketing team trying to pedal a new concept of selling their products (in internet stores). IT pros would have been a bit more careful in the their choice of words if they were responsible for that definition. At best 'information security' can only be a realistic illusion, as all these protocols/standards in use are not proprietary secrets!

    I don't believe in coincidence. Anon claim "not us this time" is laughable (even if they are not responsible in this specific incident) they are wolves trying to pretend they are shepherds, they love being left to look out for a herd of sheeple. If it turns out that the CC information of Sony's customers was stored on their servers with anything less than double encryption, then they deserve to struggle with bankruptcy for the next couple of years, while paying off lack of compliance fines , damages, and restoration charges to the folk they have wronged by being criminally negligent! And Max is right Sony should have been straight up with the world in so far as there was a breach of their servers and it could yet compromise your financial information (if they ever work through that double encryption)!

  16. CyberNinja · 1219 days ago

    The systems with CreditCard should be separatet entirely from the other systems in the PSN. If you store CC information you need to comply with the PCI DSS rules and this breach might seem like Sony did not comply with these requirements.
    The PCI DSS does not protect you from breach of CC information, but it would have made Sony think of how to protect and segregate the different systems.

    When this breach have involved CC the PCI council will assign a forensics team to investigate the case, and Sony does not control the process.

    Just to inform you a little ;-)

  17. caroline · 1219 days ago

    My son hasnt been able to log on for over a week and £188.53 was taken out of my account today by unknown company, we will know the name of the company tuesday/wednesday when i can claim my money back which will take 15 days :( idiots cause a lot of hassel for innocent people

  18. freddie · 1219 days ago

    pal thats a die hard playstation fan just rung me to tell me 90 pounds was taken from his bank account by an unknown comany he has informed the bank and hopefully they will reinburse him hes that mad he is even thinking about switching to the xbox

  19. Liam · 1213 days ago

    Sony should give us $30 to use in the Playstation store for all the trouble.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.