Sony unsure if PlayStation Network user data was stolen

CivicDew

Well-Known Member
1,632
517
Southern Ohio


'External intrusion' probed as outage enters day 5

Sony has yet to determine if customers' personal information and credit card details have been stolen as part of an external intrusion into its system that has left its PlayStation network inaccessible for five days.

“Our efforts to resolve this matter involve re-building our system to further strengthen our network infrastructure,” Sony spokesman Patrick Seybold blogged on Saturday. “Though this task is time-consuming, we decided it was worth the time necessary to provide the system with additional security.”
 

webby

Administrator
Admin
Toys For Tots
52,105
22,314
I wonder if Netflix users will ask for refunds because they can't watch movies when the ps3 network is down. If credit/ID theft is potentially involved, they're in a mess, or I should say the users are

Anonymous?
 

CivicDew

Well-Known Member
1,632
517
Southern Ohio
I can't wait to see if any identity fraud comes out of this mess. Anonymous claims they have nothing to do with this attack, but seriously who else could have done it.
 

webby

Administrator
Admin
Toys For Tots
52,105
22,314
they posted an update on the blog

Thank you for your patience while we work to resolve the current outage of PlayStation Network & Qriocity services. We are currently working to send a similar message to the one below via email to all of our registered account holders regarding a compromise of personal information as a result of an illegal intrusion on our systems. These malicious actions have also had an impact on your ability to enjoy the services provided by PlayStation Network and Qriocity including online gaming and online access to music, movies, sports and TV shows. We have a clear path to have PlayStation Network and Qriocity systems back online, and expect to restore some services within a week.
We’re working day and night to ensure it is done as quickly as possible. We appreciate your patience and feedback.

=======================

Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
  1. Temporarily turned off PlayStation Network and Qriocity services;
  2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
  3. Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.

We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

You may wish to visit the web site of the U.S. Federal Trade Commission at www.consumer.gov/idtheftor reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or www.oag.state.md.us.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1-800-345-7669should you have any additional questions.

Sincerely,
Sony Computer Entertainment and Sony Network Entertainment

The same information can be found at the following websites:
http://us.playstation.com/news/consumeralerts/#non-us
For those that live the United States, but not Massachusetts or Puerto Rico:
http://us.playstation.com/news/consumeralerts/#us
If you live in Massachusetts:
http://us.playstation.com/news/consumeralerts/#mass
If you live in Puerto Rico
http://us.playstation.com/news/consumeralerts/#pr
 

webby

Administrator
Admin
Toys For Tots
52,105
22,314
another note after digging deeper -

http://www.reddit.com/r/gaming/comments/gx6o4/im_a_moderator_over_at_psxscenecom_the_real/

"I'm a moderator over at PSX-Scene.com - The real reason PSN is down."

Ok, I've seen a bunch of speculation of why people think PSN is down, and I thought I should just post what the community knows in comparison to what Sony is telling everyone. The truth is, there was a new CFW (custom firmware) released known as Rebug (http://rebug.me). It essentially turns a retail console into a dev console (not fully, but gives you a lot of the same options that usually dev's only have access to). Anyway, this new CFW was quickly figured out by 3rd parties (not Rebug) to give CFW users access to the PSN network again via the dev networks. With a little manipulation of the URL's through a proxy server you could get your hacked console back online. Not that big of a deal, right? Well, it also turns out that some people over at NGU found out that you could provide fake CC# info and the authenticity of the information was never checked as you were on Sony's private developer PSN network (essentially a network that Sony trusted). What happened next was extreme piracy of PSN content. Sony realizing the issue here shut down the network. Now, before you go freaking out about the latest information posted about Kotaku, no ones personal information was accessible via this hack. Not to say they couldn't get it, but no one is admitting to it being available. Anyway, that's the real reason for the PSN downtime. Sony is now rebuilding all of it's PSN servers to be more secure and (hopefully) make sure the CFW users cannot get online anymore.
Edit #1: To those of you saying that this is speculation, you are correct. But, it is speculation based on a lot of facts and the outcome seems to make the most sense.

  • Rebug was released on 3/31/11.

  • First guides of how to use the dev network to get back on COD games on 4/3/11.

  • Word of NGU users finding a way to pirate PSN content via the dev networks on 4/7/11 (basing this on posts I had to delete on the website. Update: Users have pointed out to me that these posts existed on NGU as of 4/2/11).

  • PSN goes down on 4/20/11
Now, you can believe Sony's PR team which has kept you completely in the dark, or you can see the list of events above and come to your own conclusion. Now, this isn't the first time Sony has fought back against the PS3 modders from getting on PSN. A couple of months ago we had a utility called f*ckPSN that changed the necessary header information that was being sent to Sony to allow modified consoles back online. We were able to use it for about a month. Then came the new TOS, the mass e-mail to PS3 customers, and software update 3.56 and 3.60. So, once again, yes this is all speculation, but it is speculation based on previous actions and known facts.
Edit #2: Mathieulh just mentioned that he has been in contact with someone that has official access to the SCE devnet servers and it was posted to them today that only 3.60+ debug firmwares will be allowed on the dev network anymore. All earlier versions will be cut. If you want to retain your access you need to contact Sony and upgrade to 3.60 debug firmware.
Edit #3: Ok, it looks like some various news sites have picked up this story and taken it out of context. Once again, this is all speculation and information gathered from various devs in the PS3 scene. It might very well not be the real reason PSN is down, but as the timeline fits, it's a reasonable explanation. Now, as to Rebug directly allowing this to happen, that's not the case at all. Different CFW's have had access to the dev network the whole time. This is not new news for people in the PS3 scene. It's what people have figured out what to do with the said network that has caused all the recent issues. Saying that Rebug is what did this is like saying a gun manufacturer is responsible for every death that happens with a gun.
Edit #4: Looks like Sony is finally admitting that people have been able to get into their network and users personal info has possibly be compromised. See: Official Sony Blog for the latest update.


 

webby

Administrator
Admin
Toys For Tots
52,105
22,314
seems microsoft Xbox is having issues as well -

Senator Richard Blumenthal wrote the President and CEO of Sony to demand answers for the lack of immediate notification about the extent that users' personal and financial information had been compromised. Blumenthal wrote, "PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft."
Sony then posted on the PSN blog that the timing between learning about the intrusion and learning that consumer data was compromised was due to the necessity of awaiting outside experts to "conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach."


The group Anonymous issued a formal statement, denying any involvement in the PSN outage. "For once we didn't do it." AnonOps added, "While it could be the case that other Anons have acted by themselves, AnonOps was not related to this incident and does not take responsibility for whatever has happened."


If you use PSN to access third-party services like Netflix, it's a bummer. On April 1, Netflix Customer Service announced that users had to agree to Sony's updated PSN terms of service, since a "PSN account is needed to use the Netflix application on the PS3." Even if you did agree, you can't watch Netflix movies on a PS3 now. I called Netflix customer service - which tried to direct me to Sony instead - but finally was told, "Since a PSN connection is required, unfortunately you can't connect to Netflix until Sony fixes it." I wonder if Sony will pay a portion of PS3-Neflix users' subcription this month?


Microsoft had previously reacted to the PSN outage by suggesting users could play on the Xbox Live network, but today Microsoft had to issue a Service Alert for Xbox Live. It states, "Users may receive potential phishing attempts via title specific messaging while playing Modern Warfare 2. We are aware of the problem and are working to resolve the issue."
 
Last edited:

webby

Administrator
Admin
Toys For Tots
52,105
22,314
Sony Says "Welcome Back" To PlayStation Network Users With A Free Month of PlayStation Plus

The recent massive security breach of Sony’s PlayStation Network and Qriocity services likely didn’t make the company any friends (and certainly cost it a few customers.) But Sony is trying to make good with the 77 million registered users of its services, announcing at a press conference this weekend its worldwide “Welcome Back” program.

Under the program, Sony will give current PlayStation Network users a free month of PlayStation Plus, the enhanced version of PlayStation Network. Sony currently prices the service at $49 a year, and $17 for three months.

Sony will also make certain PlayStation entertainment content free to users, though said specific plans would vary by region.

Set for this week, Sony says that the restoration of its PlayStation Network and Qriocity services will come with significantly improved server security, lest a similar attack befall the services again. As a part of improvements, Sony will force customers to upgrade their PlayStation consoles to a new firmware version. Customers will also be obliged to change their passwords, a sensical move considering that that their current passwords are likely in the hands of eager evil-doers.

Fortunately, Sony is repeating its claim that customer credit card information wasn’t stolen, but the company recommends that users monitor their credit card accounts anyway.
 

webby

Administrator
Admin
Toys For Tots
52,105
22,314
and it gets worse

Sony -- which has kept its Sony PlayStation Network offline for nearly two weeks as it investigates a computer intrusion -- took a second gaming network offline on Monday, saying it too appears to have been hacked. It said banking and credit card information belonging to more than 23,000 customers outside the U.S. may have been compromised.

==================

Sony's Internet security crisis deepened on Monday with the company revealing hackers had stolen data of another 25 million users of its PC games system in a second massive breach for the consumer electronics giant.
Sony's latest revelation comes just a day after Sony No. 2 Kazuo Hirai announced measures had been put in place to avert another cyberattack like that which hit its PlayStation Network, hoping to repair its tarnished image and reassure customers who might be pondering a shift to Microsoft's Xbox.

The Japanese electronics company said it discovered the break-in of its Sony Online Entertainment PC games network on May 2. The breach also led to the theft of 10,700 direct debit records from customers in Austria,Germany, the Netherlands and Spain and 12,700 non-U.S. credit or debit card numbers, it said.

The PlayStation network lets video game console owners download games and play against friends. The Sony Online Entertainment network, the victim of the latest break-in, hosts games played over the Internet on PCs.
Sony said late on Monday that the names, addresses, emails, birth dates phone numbers and other information from 24.6 million PC games customers was stolen from its servers as well as an "outdated database" from 2007.
A spokesman for the online games unit based in San Diego said the service was taken down at 1:30 am Pacific time on Monday.

Sony spokeswoman Sue Tanaka, asked about the risk other data could be at risk, listed the precautions that the company has taken such as firewalls,
"They are hackers. We don't know where they're going to attack next," Tokyo-based Tanaka said.

The PlayStation Network incident has sparked legal action and investigations by authorities in North America and Europe, home to almost 90 percent of the users of the network, which enables gamers to download software and compete with other members.

On Monday, Sony declined to testify in person in front of a U.S. congressional hearing, but agreed to respond to questions on how consumer private data is protected by businesses in a letter on Tuesday, said a spokesman for Rep. Mary Bono Mack, a Republican Congresswoman from California, who is leading the hearing.

The incident that Sony disclosed on Monday also forced it to suspend its Sony Online Entertainment games on Facebook.
Sony posted a message on Facebook saying it had to take down the games during the night.

A Sony spokesman said the Facebook games make money from microtransactions and the sale of virtual goods like costumes and weapons.
It was not immediately clear if the data theft included data from players of Sony games including "PoxNora," "Dungeon Overlord," "Wildlife Refuge" on Facebook.
Facebook could not immediately be reached for comment.

Sony Online Entertainment is a division of Sony Corp , the global electronics company that operates online games such as "EverQuest" and is separate from the PlayStation video game console division.
The servers for both the Online Entertainment unit and the PlayStation Network are based in San Deigo but are completely separate, said Sony's Tanaka.
Sony denied on its official PlayStation blog on Monday that hackers had tried to sell it a list of millions of credit card numbers.

The news comes less than a week after Sony alerted customers that a hacker broke into Sony's PlayStation video game network and stole names, addresses, passwords and possibly credit card numbers of its 77 million customers.
Sony alerted customers a week after discovering the break-in.

Sony executives apologized on Sunday and said it would gradually restart the PlayStation Network with increased security and would offer some free content to users. [ID:nL3E7G101C] (Additional reporting by Edwin Chan in Los Angeles and Alexei Oreskovic in San Francisco; Editing by Andre Grenon, Richard Chang and Lincoln Feast)
 

webby

Administrator
Admin
Toys For Tots
52,105
22,314
==================

Hackers Bring Back PlayStation 3's OtherOS Feature


Remember when Sony removed the OtherOS feature from the PlayStation 3? Yeah, things turned pretty ugly. Sony stated that the removal was due to "security concerns" after hacker George Hotz found a way to open up the console via Linux. OtherOS was taken down with a firmware update that released on April 1, 2010. Sony was later taken to court over the matter.

Well, it appears that hackers have now found a way to bring back the OtherOS, allowing user to bring back Linux on the PS3. This version, however, is a little different -- it's been upgraded. According to hacker Graf Chokolo, "OtherOS++" "can read/write anything in PS3 RAM" and is "very useful for HV hacking".
According to Chokolo's blog:

But today, we have some very good news for you, OtherOS is finally making a comeback to our PS3 systems. The team at [website name withheld] have released a publication announcing OtherOS++, a modified firmware that brings back the OtherOS option allowing you to install Linux back into your PS3, yes, Linux on the PS3 that you own!​

Many hackers have used the removal of OtherOS as an excuse to attack Sony and use the PS3 Jailbreak tool -- this includes hacking group Anonymous. Hackers will apparently be able to obtain the OtherOS++ via an unofficial firmware update.

==================
 

webby

Administrator
Admin
Toys For Tots
52,105
22,314
Sony’s Response to the U.S. House of Representatives

Today, the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on “The Threat of Data Theft to American Consumers.”
Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, submitted written answers to questions posed by the subcommittee about the large-scale, criminal cyber-attack we have experienced. We wanted to share those answers with you (click here).
In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:
  1. Act with care and caution.
  2. Provide relevant information to the public when it has been verified.
  3. Take responsibility for our obligations to our customers.
  4. Work with law enforcement authorities.
We also informed the subcommittee of the following:
  • Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
  • We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”
  • By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.
  • As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.
  • Protecting individuals’ personal data is the highestpriority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.
  • We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.
We told the subcommittee about our intent to offer complimentary identity theft protection to U.S. account holders and detailed the “Welcome Back” program that includes free downloads, 30 days of free membership in the
PlayStation Plus premium subscription service; 30 days of free service for Music Unlimited subscribers; and extending PlayStation Plus and Music Unlimited subscriptions for the number of days services were unavailable.
We are working around the clock to have some PlayStation Network services restored and we’ll be providing specific details shortly. We hope this update is helpful to you, and we will continue to keep you posted as we work to restore our network and provide you with both the entertainment and the security you deserve.
 
Top