Sony suffers another security breach, locks down accounts

By Lee Kaelin on October 12, 2011, 9:30 AM

Sony locked down 93,000 user accounts on its online gaming and entertainment networks yesterday after it detected a large number of unauthorized attempts to gain access to them. The intruders had brief access to 60,000 PSN accounts and another 33,000 accounts on the servers for Sony Online Entertainment.

In a statement released earlier today on the PlayStation blog , VP & chief information security officer, Philip Reitinger said the attacks happened between Friday and Monday affecting "less than one-tenth of 1 percent" of PSN, SEN, and SOE consumers.

In his statement, he confirmed that those 93,000 accounts had been accessed, and the user ID's and passwords had been verified, but wanted to assure the public that "only a small fraction of these 93,000 accounts showed additional activity prior to being locked." It has not been detailed what activity had been detected, only that they "are continuing to investigate the extent of unauthorized activity on any of these accounts."

Sony is requiring secure password resets on affected PSN accounts that had user ID's and passwords matched during the intrusions on its networks. Users will shortly receive an email at the address associated with the account with steps on how to reset thier password and gain access to PSN again.

Those with SOE accounts will find that they have been temporarily turned off, and will shortly receive an email from the company with steps on how to validate their account credentials in order to have it turned back on.

"We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account," Reitinger further commented in his statement.

Reitigner was keen to point out that affected account holders' credit card details were safe, and anyone confirmed to be on the list will have any money spent from their "online wallets" on the Sony network refunded.

Although these latest rounds of attacks has been much better dealt with, it is doing little to help the beleaguered gaming giant rebuild its reputation after the huge hacking scandal that erupted earlier in the year, affecting millions of its users.




User Comments: 17

Got something to say? Post a comment
TeamworkGuy2 said:

Nice going Sony...

You can stop teaching us how NOT to handle server security now.

Guest said:

Just another reminder that our current username/password combo is not strong enough. When we start using certificates or other factor authentication?

Guest said:

hahahahhahahahahhaha, down with Sony.

Cota Cota said:

Guest said:

Just another reminder that our current username/password combo is not strong enough. When we start using certificates or other factor authentication?

Username-Password is already very secure, the problem is the bad use from the users and the mediocre companies.

We are talking abut SONY, a company that doesn't knows what encrypting is, and never to say they will develop one to keep away from the standard "security".

UnknownSky said:

Sooooooo,

I can't stop laughing at the bashers of Sony. They realized a security breach and are fixing it. These are only 93,000 accounts which I'm sure had "catsdogs" or "123456" as their password since some persons are that ignorant. One-tenth of a percent. That sounds statistically correct.

Think logically.

I still support Sony.

TeamworkGuy2 said:

I was not bashing Sony (to much).

It's just funny how they keep getting hit by these attacks.

UnknownSky said:

TeamworkGuy2 said:

I was not bashing Sony (to much).

It's just funny how they keep getting hit by these attacks.

Honestly,

If they clean up their messes then everything is fine with me. A good thing to do is never rely solely on a companies security and don't put full faith into anything because ANYTHING can happen. Ya know?

gwailo247, TechSpot Chancellor, said:

"Hm...all these accounts getting hacked. Let's see what my password is...'password'...hmm...I should probably change it....'password1'...yeah, that's the ticket, suck it hackers!"

negroplasty negroplasty said:

are you regretting your ways yet, sony?

Guest said:

These criminals are attacking almost all online companies including Government Homeland/Security. All are at risk of online theft / breaches. The good thing is SONY detected the malicious breach and nip it in the bud early. Thanks to their improved online security, they prevented what could have been another disaster.

Kudos to them

Guest said:

negroplasty, just like every other large company out there, Sony will not be regretting their ways.

and UnknownSky, do you realize how many times someone has to "guess" the combination of User Name and Password to get it correct? Now multiply that number by 93,000.

care to elaborate if i didn't understand you correctly?

Guest said:

So many imbeciles rejoicing in an insignificant number for a company the magnitude of Sony. At least they mention it so account holders are aware. The competition wouldn't have. Right now many of you with accounts in other companies are possibly hacked and not know it, because you're not told.

Guest said:

@Guest: It is the law, they have no choice but to "mention it". Otherwise Sony could be sued for not "mention(ing) it".

Guest said:

Just another reminder that our current username/password combo is not strong enough. When we start using certificates or other factor authentication?

If you enforce a limit on number of attempts in a time period, e.g. 3 in 10 minutes, a 6 character minimum would take over 324,202 years to brute force all combinations of alpha numerical combinations.

So it's not all that difficult to put some sort of meaningful password protection on an account with some simple rules.

tonylukac said:

Why are we always reinventing the wheel? 35 years ago on the IBM mainframe some former students where I went to school (University of Illinois at Chicago) created ACF2, a security program that did just what is stated here; encrypted passwords and limited numbers of password attempts. They later formed a company in "silicon prairie". I'd be happy to do your job for you.

9Nails, TechSpot Paladin, said:

Guest said:

Just another reminder that our current username/password combo is not strong enough. When we start using certificates or other factor authentication?

That's an interesting point. But I doubt the hackers in this article cracked individual accounts. They probably found a way around the normal means and entered by exploiting a security weakness. They likely opened a database, then downloaded a few names. So it wouldn't matter what you set your login/password to when they have back door access to that information.

Guest said:

Ok so why is it that those people who use similar passwords on xbox live never have this problem?

When was the last time LIVE got hacked? Can you please remind me?

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.