Sophos Cloud Optix
Hackers successfully broke into 93,000 accounts at Sony over the last few days, once again impacting users of the Sony Entertainment Network, PlayStation Network (PSN) and Sony Online Entertainment services.
According to a blog post by Philip Reitinger, Sony’s Chief Information Security Officer, credit card details were not compromised.
As a precautionary step, Sony has frozen the compromised accounts and will email impacted users asking them to confirm their identity and reset their passwords.
Some compromised accounts “showed additional activity prior to being locked,” but the only hint from Sony as to what that activity might entail is that the company says it will “work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet.”
What’s interesting is that it appears that the hackers gained access to the Sony accounts by working through a large database of stolen usernames and passwords – believed to have been sourced from somewhere else. That suggests that the accounts which were broken into were using a non-unique password.
In other words, you were using the same password on the Sony PlayStation Network as you were on website X.
It’s never a good idea to use the same password in multiple places.
Sony’s security team were alerted to the intrusion when they noticed a high number of failed login attempts – so well done to those users who weren’t using the same password.
Here’s a video explaining one way to to choose hard-to-guess passwords.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
At the end of its blog post, Sony’s Reitinger offers some sensible advice to users:
We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.
The only silver lining for Sony is that this security breach appears to be much smaller in scale than the attacks which hit it earlier this year, where millions had their personal information stolen and the Sony PlayStation Network was forced offline.
Sony’s reputation was badly harmed earlier this year by the series of hacking attacks. This latest incident certainly isn’t going to do them any favours – as customers will (rightly or wrongly) continue to associate the Sony brand with security breaches.
I’m sure Sony will be hoping that this is the last time a security incident will put their company in the news headlines for all the wrong reasons.
Graham,
Didnt all PSN users have to change their passwords after the hack which brought down the PSN??
Scenario:
1. Attack Sony and steal ID and password pairs
2. Sony forces users to reset passwords
3. Attacker uses 'original stolen list' in brute force attack
Consequence
Multiple failed matching attempts (some success for people who dont use PSN anymore or have not logged on since breach and changed password).
How can they be so sure this data came from 'one or more lists from other companies'????
As an Xbox fan, who was sorely dissapointed with his Playstation 3, this news both amuses me and comes as no surprise.
Watch out!! The fanboys are on day release from Xbox live.
Of course it comes as no surprise. If this is the data that was originally stolen, then surely it would be used at some point. Thanks for pointing out the obvious though – it really helps.
> I'm sure Sony will be hoping that this is the last time a security incident will put their company in the news headlines for all the wrong reasons.
Why are you posting about it at all, then? "Corporation detects unauthorized use of user accounts because of credentials shared with other services which were insecure; alerts users promptly, locks accounts, rolls back financial activity." Would you have posted about it differently if the company was Amazon? Netflix? Google? Microsoft? Sophos? I think you would.
I think he would have written about it differently had it been those companies because Sony's been in the news a lot this past summer and the others have not. I look at Sophos' Naked Security blog as almost a response to the main stream media about security issues. So I saw this post as a kind of "Hey, this happened, but it's not all it appears to be."
I think that the line right above the one you have quoted explained this fairly well:
> Sony's reputation was badly harmed earlier this year by the series of hacking attacks. This latest incident certainly isn't going to do them any favours – as customers will (rightly or wrongly) continue to associate the Sony brand with security breaches.
The trolls just wanted to get in Chris Chans account because they missed him 🙂
I'm impressed with Sony's quick response to these breaches. They've obviously learned from the momentous c*ck up earlier this year. It's possible people just re-entered their old passwords when PSN prompted them to reset them because many probably didn't think that their details would be significant out of 25 million others…
So Philip Reitinger is Sony’s CISO? If Phil is the top tier, he’s not much on security savvy.