Sony revealed today that nearly 100,000 PlayStation Network and Sony Online Entertainment user accounts have been compromised, as unknown attackers have tested "a massive set of sign-in IDs and passwords" against user accounts.
In a post on the official PlayStation blog, Sony's SVP and chief information security officer Philip Reitinger explained that the company has detected breaches on its Sony Entertainment, PlayStation and Sony Online Entertainment Networks.
Data from "one or more compromised lists from other companies, sites or other sources" outside of the Sony Networks was tested against hundreds of thousands of user accounts, and a total of 93,000 were compromised.
These consist of 60,000 PSN and SEN accounts, and 33,000 SOE accounts. Sony has since temporarily turned these accounts off and contacted the owners of the accounts.
Reitinger was quick to note that these compromised accounts make up only 0.1 percent of overall PSN, SEN and SOE accounts.
"Only a small fraction of these 93,000 accounts showed additional activity prior to being locked," he explained further. "We are currently reviewing those accounts for unauthorized access, and will provide more updates as we have them."
He continued, "Please note, if you have a credit card associated with your account, your credit card number is not at risk. We will work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet."
The headline is disappointing. This is as far from a "New Sony Breach" as you can possibly get. If anything, it's showing that Sony's gotten on top of their security. All of those who had their accounts locked should look at other sites that they use the same passwords on, because it's quite possible that many of them have been tried as well and probably didn't catch the problem.
The original hackers checked to see if the first set of usernames and passwords they stole where actually still active... That's what I got from this story.
How is it not a Sony problem? Most systems protect against brute force attacks by disabling login attempts for some period of time, or indefinitely, after some relatively small number of incorrect attempts. Definitely sounds like a Sony problem to me, this attack should not have worked. Well, unless 93K users had the password as "password", which I guess is possible.
Plus they probably should have monitoring software that would have noticed the attack, especially if it was coming from a limited range of IP addresses.
It sounds like that monitoring software you talked about is exactly what caught this. The login attempts weren't a bot trying different passwords with a user account, it was trying a user account name and password that the hacker had. If it didn't work they would move onto another user name and password. Most of those sites that protect against trying to login multiple time only prevent one from using the same user name and trying different passwords. It also says that attempts were tried but not exactly successful, and probably came from other sites where people might use the same login and password.
At least Sony did their duty and protected the accounts info. Sad for the people who lost their accounts though. Hopefully Sony can get them back up asap.
Plus they probably should have monitoring software that would have noticed the attack, especially if it was coming from a limited range of IP addresses.