PSN down

[roachcoach]

I find it hard to belive sony would store passwords in plain text on their servers.
the person writing the PR may not understand the technical terms involved.
the statment from sony doesnt detail how the information was taken.
I would like to find out more technical information about the hack.
I wonder if sony will publish the report of what the third party company found out after checking the systems.

Perhaps but in their history Sony have, if anything, been too shy about coming forward with data. For them to say passwords are compromised...well that's a massive red flag to me, it's PR's job to spin the best out of anything and for them to admit anything which is not positive is usually a pointer to VeryBadThings™. Consider any other data loss I can recall in any industry, the first thing they do (assuming it applies) is reassure everyone that the data is unusable/encrypted.

If the break in had resulted in the loss of a salted hash table, I'd be gobsmacked if it made the press release because it's not a realistic concern (if done properly). On top of that, there have been articles in the run up to this about weakness and vulnerabilities/poor practice going on at Sony, I don't have much faith in their security handling.

I agree, they are scant on the details/information but equally, they are alarmingly short of good news too. Any PR puppet worth a damn will shout an "upside"/"don't worry, nothing to fear" items of an event like this from the rooftops, they're not...so why not?

I appreciate that they may not know the scale of the intrusion and that's fine, indeed understandable, if these people were good. However, there are strong implications that the data was not encrypted/improperly stored in the communications. Were the information encrypted, even had it been broken later, I'd expect PR to say something like "Yes, there's been a theft, however all the data is encrypted at industry standard levels so the risk to consumers is minimal".

I would bet a sizable sum of money that once the dust settles we'll see Sony have either cut corners/been reckless in data security terms

[gtech]

New FAQ
http://blog.eu.playstation.com/

Q: Are you working with law enforcement on this matter?
A: Yes, we are currently working with law enforcement on this matter as well as a recognised technology security firm and local law enforcement to conduct a complete investigation. This criminal attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however, that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

Q: What steps should I take at this point to help protect my personal data?
A: For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your statements.

Q: What if I don’t know which credit card I’ve got attached to my PlayStation Network account?
A: If you’ve added funds to your PlayStation Network wallet in the past, you should have received a confirmation email from “DoNotReply@ac.playstation.net” at the email address associated with your account. This email would have been sent to you immediately after you added the funds, and will contain the first four digits and last four digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.

Q: When or how can I change my PlayStation Network password?
A: We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.

Q: Have all PlayStation Network and Qriocity users been notified of the situation?
A: In addition to alerting the media and posting information about it on this blog, we have also been sending emails directly to all 77 million registered accounts. It takes a bit of time to send that many emails, and not every email will still be active, but this process has been underway since yesterday. At this time, the majority of emails have been sent and we anticipate that all registered accounts will have received notifications by April 28th. Consumers may also visit uk.playstation.com/psnoutage and www.qriocity.com for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed.

Q: What steps is Sony taking to protect my personal data in the future?
A: We’ve taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network and Qriocity services and, second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.

Q: Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information?
A: We are currently conducting a thorough investigation of the situation and are working closely with a recognised technology security firm in order to find those responsible for this criminal act, no matter where in the world they might be located.

Q: When will the PlayStation Network and Qriocity be back online?
A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure

[Rob_B]

So...all those people saying their CC was used and explicitly stated it was due to this are perhaps talking out of their backsides (or of course it was just a coincidence considering there are 77m users!)

[Spud1]

So...all those people saying their CC was used and explicitly stated it was due to this are perhaps talking out of their backsides (or of course it was just a coincidence considering there are 77m users!)

Anyone who has explicitly stated it's because of this is yes, as we can't be certain and will never be certain..Sony would never publically admit that the numbers would have been taken. So yes it could well be a coincidence, in my case it's very odd as that Card is only ever used for a WoW subscription and for PSN..doesn't mean it IS because of the leak, but very big coincidence if not, no?

Encryption can mean a lot of things too, the telling thing will be if Sony get investigated to see /how/ the data was stored/encrypted and if it meets PCI/DSS regulations. If it doesn't, then i'd wager that the encryption is pretty worthless (although its true that you can meet the regs and stiill be insecure). CVC numbers are not required for offline transactions in the US (where my fraud happened) so the lack of those numbers doesn't mean much really.

[chuckskull]

Don't need a CVC to commit card fraud the old fashioned way(in person), not to mention chip and pin isn't universal. Although I'm sure you're right that given a sample size roughly as large the entire British population, at any given time I'm sure at least a few hundred/thousand people will be suffering from ID theft/fraud.

[roachcoach]

So...all those people saying their CC was used and explicitly stated it was due to this are perhaps talking out of their backsides (or of course it was just a coincidence considering there are 77m users!)

Could be either, there's a boatload of CC fraud kicking about and as you say, 77m is a lot of people.

The banks would be the best people to tell if there's a sudden spike.


My personal opinion is the biggest damage from this is likely to be lost passwords/security questions and people reusing them elsewhere.

[roachcoach]

http://www.youtube.com/watch?v=OEjPDHKJPXQ

They just don't get old

[OilSheikh]

http://blog.us.playstation.com/2011/...ble-this-week/

[General Frags]

http://blog.us.playstation.com/2011/...ble-this-week/

At least thats some good news, I can play killzone 3 now!

[Output]

As usernames are one of the details that were stolen, I'd hope that this would give them the excuse to finally add in functionality for people to change their PSN IDs (even if they have a charge for it like XBOX Live does, though I'd also suggest that the first one be free due to the hacking) - as PSN is down and they are rebuilding the systems, it would make sense to add it at the same time.

[OilSheikh]

First, it was 2 weeks' time, then it was 1 week's time, now it's end of May.

There's a limit to how much they can mess about with us!

[Terbinator]

It only does offline.

[PowerPie5000]

First, it was 2 weeks' time, then it was 1 week's time, now it's end of May.

There's a limit to how much they can mess about with us!

Most tech heads should know that a promise from Sony is worth less than a fart in the wind. They always make promises they can't keep and have been doing so since the PS1 was launched. I can no longer play MAG so i've mainly been gaming on my X360 and PC... Hell, even my Wii has been getting some use lately!

I've always said PSN is free for a reason (or a few reasons)...

[gtech]

I can no longer play MAG

You play MAG

[PowerPie5000]

You play MAG

And whats so funny about that? I happen to think it's quite fun to play and i'm sure it would have been a bigger hit if it was multi-platform. I also play the Battlefield series on my X360 and PC... Is that funny too? Anyway, how come you chose to play BFBC2 on a PS3 over the X360 & PC versions? I find that strange considering it's the worst version when it comes to graphics quality, framerate and the number of online payers, But i suppose it's ok if you only own a PS3 (when PSN is actually working!).

[j.o.s.h.1408]

Please dont put MAG and Battlefield in the same sentance.

Thanks