Playstation Network hit with another attack

Six months after an attack that targeted Sony's Playstation Network, Sony has admitted that yet another attack has occurred on PSN's servers. In a post on the official Playstation blog, Philip Reitinger, the newly appointed Chief Information Security Officer for Sony, stated, " ... we have detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment (“Networks”) services to test a massive set of sign-in IDs and passwords against our network database."

He adds that "approximately 93,000 accounts globally" actually had valid sign-in IDs and passwords generated as a result of this new attack. This amount is less than one tenth of one percent of all people who are registered for Sony's gaming networks. Reitinger said, " ... we have temporarily locked these accounts. Only a small fraction of these 93,000 accounts showed additional activity prior to being locked." No credit card info was taken as a result of this attack, according to Reitinger.

He also said, "As a preventative measure, we are requiring secure password resets for those PSN/SEN accounts that had both a sign-in ID and password match through this attempt." He adds, "Similarly, the SOE accounts that were matched have been temporarily turned off. If you are among the small group of affected SOE customers, you will receive an email from us at the address associated with your account that will advise you on next steps in order to validate your account credentials and have your account turned back on."

Neowin reader SMELTN received an email as one of his accounts was used in the attack. The email is below:

We are writing to let you know that we have detected an unauthorized attempt to verify the validity of your Sony Online Entertainment ("SOE") Station Account name and password. We believe there was an attempt to use a scripted application of a large set of sign-in IDs and passwords against our network database. This attempt appears to include a large amount of data obtained from one or more compromised ID and password lists obtained from other companies, sites or other sources. To protect you, we have locked your Station Account. To reopen the account, please contact SOE customer service at 1 (858) 537-0898 to verify your identity. We will walk you through the password reset process then. Please note that your credit card number is NOT at risk. As a precaution, please review your account for unusual activity and please contact us at 1 (858) 537-0898; we will work with any users with whom we confirm have had unauthorized purchases with account wallet funds, and restore those funds. We want to take this opportunity to remind our consumers about the increasingly common threat of account theft, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We advise you to create a new password that is strong, consisting of a combination of numbers, letters and special characters or symbols. Thank you, Sony Online Entertainment         
 

In April, Sony revealed that a massive attack on the Playstation Network exposed the personal info on tens of millions of Playstation Network users. The company shut down the servers for weeks in an attempt to improve the security on those servers. The network was fully restored in all parts of the world by July. In late August, Sony's CEO Howard Stringer told an audience at a press event in Berlin that , " ... the PSN is more secure and better than ever."

Report a problem with article
Previous Story

iCloud goes live for general public

Next Story

Blackberry online outages now affecting North America

63 Comments

Commenting is disabled on this article.

It appears that many of the people commenting on this article are not familiar with credential redundancy. Many internet users re-use passwords for various services. This password redundancy creates a security flaw for many users. There are many sites that require an e-mail address in order to log in. If a larger website's security was breached and that website made use of e-mail log-in credentials, the assailant now has more than a handful of e-mail addresses and passwords that could be used for other services due to the flaws of credential redundancy.

With such a large database comparison being used, the odds are that some will match up. Approximately ninety-three thousand accounts had both a valid username and a valid password; however, this is a rather small amount in comparison to the number of (not necessarily active) Playstation Network accounts. This sort of attack could have happened to any service, it just happens to be Sony playing victim in this case.

I thought they said no user data had been stolen and that the account information had been from a third part.

Which from my perspective my question is why does a third party have login information for users.

littleneutrino said,
I thought they said no user data had been stolen and that the account information had been from a third part.

Which from my perspective my question is why does a third party have login information for users.

Most of the login attempts were incorrect. So pretty much, it looks as if those that were successful in logging in were successful because the account email and password were the same from where ever the data was originally compromised.

People are making this out to be a much bigger deal than it really is. This was not a database compromise like six months ago, and Sony dealt with the issue by locking the accounts, the appropriate response in this case.

Edit: this comment system hates em dashes and truncates them and anything beyond

(Spork) said,
this is why my ps3 is only my blueray player now

So you don't play offline games because the online service is not secure

This is something that could happen to any online service. Sony has been transparent in revealing the attack. You can't blame Sony for the hackers out there attempting to login to accounts that are not using secure passwords. Sony took appropriate actions after successfully detecting the attack. What more can you ask for?

Yes - Sony had a fault earlier this year and an outage that was just unheard of but just seeing this story makes me feel better knowing that if attempts were made on my account it would automatically be locked and I would be requested to change my password to something more secure. Good for Sony.

To those who say "This is why I'll never get a PS3" - that's just stupid. You didn't get one either because A) you can't afford it, or B) you're a fanboy of another product (XBOX, Wii, etc.).

I haven't touched my PlayStation account since the last time. The credit card I used for it expired, so my info is useless to them.

What I do know is I'm getting rid of my PS3 this weekend. Gonna trade it in at Best Buy and use the credit to buy a standalone Blu-Ray player.

Voice of Buddy Christ said,
I haven't touched my PlayStation account since the last time. The credit card I used for it expired, so my info is useless to them.

What I do know is I'm getting rid of my PS3 this weekend. Gonna trade it in at Best Buy and use the credit to buy a standalone Blu-Ray player.

They didn't take any info, and if you haven't signed into your PSN account from your PS3 or emailed to reset it, then your account is in limbo and can't be used.

Don't be too quick to think the info is useless because the CC expired.

When my XBox RRoDed i did not bother cancelling my Live account cause the CC was expired.

Guess what ? The acount renewed automatically even if the CC was expired. Had to do some phone calls to get my money back.

Twisp said,
"...it is likely the data came from another source and not from our Networks"

I love how they use words like "likely" AKA, "we have no idea".

He adds that "approximately 93,000 accounts globally" actually had valid sign-in IDs
------------
You can't blame Sony for insecure password or people using the same password for their email adress and other online services.

This happens all the time in WoW for people not having an authenticator.

Sony did what Blizzard does. Locking the account.

I'm surprised they actually did a PR for this. If Blizzard would do a PR every time an account is compromised they would do one every day.

I love it when people can't read... nothing to do with Sony's security, if anything, their security is working well since they caught this mass login attempt. Why oh why is it so disabling for some people to take 1 minute to read?

Audioboxer said,
I love it when people can't read... nothing to do with Sony's security, if anything, their security is working well since they caught this mass login attempt. Why oh why is it so disabling for some people to take 1 minute to read?

I think purely because it doesn't say anything like 'attempted attack' or anything like that.

Audioboxer said,
I love it when people can't read... nothing to do with Sony's security, if anything, their security is working well since they caught this mass login attempt. Why oh why is it so disabling for some people to take 1 minute to read?

It didnt work, they only discovered it AFTER the infiltration was successful. Based on the fact that they are offering to reimburse anyone affected shows they really have no idea what damage this may have done or what the extent of the infiltration is.

Audioboxer said,
I love it when people can't read... nothing to do with Sony's security, if anything, their security is working well since they caught this mass login attempt. Why oh why is it so disabling for some people to take 1 minute to read?

At Neowin, when you put Apple or Sony in the headline, the trolls come in droves. Anyone that actually read the piece would know that this had nothing to do with Sony's security, but it seems to be data mined from other sources.

NeoTrunks said,

At Neowin, when you put Apple or Sony in the headline, the trolls come in droves. Anyone that actually read the piece would know that this had nothing to do with Sony's security, but it seems to be data mined from other sources.

It's hard to know where the attacker got the info.

When my WoW account was hacked people said it was because of a keylogger or because i was using the same pwd for WoW and the mail account tied to it.

The fact is i had no virus or keylogger on my computer. Ran MSE and Bitdefender and could not find anything. Did not have any suspicious service running in the background either. And the pwd used for my WoW account was unique and made of 4 random letters and 4 ramdon numbers (i'm good at memorizing things like phone numbers and pwd).

WoW accounts and Guild Wars accounts get hacked all the time. Hacked is not even a good word imo. Compromised would be a better word imo.

Things like that happens all the time. My iTune account was locked last week because of a potential attack (anyway this is what the msg was saying). I changed my pwd and if there's unwanted transaction on my CC i'll just call and get them cancelled.

Not worthy of a PR. But nice from Sony to do it anyway.

LaP said,

It's hard to know where the attacker got the info.

When my WoW account was hacked people said it was because of a keylogger or because i was using the same pwd for WoW and the mail account tied to it.

The fact is i had no virus or keylogger on my computer. Ran MSE and Bitdefender and could not find anything. Did not have any suspicious service running in the background either. And the pwd used for my WoW account was unique and made of 4 random letters and 4 ramdon numbers (i'm good at memorizing things like phone numbers and pwd).

WoW accounts and Guild Wars accounts get hacked all the time. Hacked is not even a good word imo. Compromised would be a better word imo.

Things like that happens all the time. My iTune account was locked last week because of a potential attack (anyway this is what the msg was saying). I changed my pwd and if there's unwanted transaction on my CC i'll just call and get them cancelled.

Not worthy of a PR. But nice from Sony to do it anyway.

It's been a long time since I've played WoW, but do they lock out your account after many failed login attempts? If they don't, the people that got in were probably using brute force attempts with some tool they wrote.

EDIT: I see from your post below that they do lock the accounts .

singularity0821 said,
Well, it doesn't sound like it's Sony's fault this time.

How exactly is this NOT Sony's fault????? Are they NOT responsible for protecting users' data??

ahhell said,

How exactly is this NOT Sony's fault????? Are they NOT responsible for protecting users' data??

"...it is likely the data came from another source and not from our Networks"

ahhell said,

How exactly is this NOT Sony's fault????? Are they NOT responsible for protecting users' data??

They did protect users data, they locked all the accounts they tried to get into using emails/passwords that had been gotten elsewhere.

Twisp said,

"...it is likely the data came from another source and not from our Networks"

Yeah, but who other than Sony would even HAVE that many SONY logins? It defies logic. It's clear that this data originated from Sony. That's who you give your username and password to, that's who has that information, that's where hackers GET that information... There's really no mysticism about it...

M_Lyons10 said,

Yeah, but who other than Sony would even HAVE that many SONY logins? It defies logic. It's clear that this data originated from Sony. That's who you give your username and password to, that's who has that information, that's where hackers GET that information... There's really no mysticism about it...

As I've stated elsewhere, if you were keeping track of all the details you'd recall that PSN accounts underwent a mandatory password reset when the service was restored and that this information, according to Sony's lengthy explanation, was categorically NOT stored as plain text unencrypted data.

learn from this people! dont use the same user ID/password combobs on every site you use.
sony could do a 2 factor login for psn just like you can with Gmail.
have an app on your smartphone or pc that generats a 6 digit code before you can get loged on. this will stop the scripted login attemps from getting in to an account.

xSuRgEx said,
learn from this people! dont use the same user ID/password combobs on every site you use.
sony could do a 2 factor login for psn just like you can with Gmail.
have an app on your smartphone or pc that generats a 6 digit code before you can get loged on. this will stop the scripted login attemps from getting in to an account.

Good idea. Though I think you lost Sony's Security big wig at "password"...

xSuRgEx said,
learn from this people! dont use the same user ID/password combobs on every site you use.
sony could do a 2 factor login for psn just like you can with Gmail.
have an app on your smartphone or pc that generats a 6 digit code before you can get loged on. this will stop the scripted login attemps from getting in to an account.

Doesnt help when you store the passwords in open text.

Tom said,
And this is why I don't have a PS3.

realy,
that is all you could come up with? come on seriously this type of attack can be used against any website/online service. lets hope its not used against neowin

Tom said,
And this is why I don't have a PS3.

Just because you have a PS3, doesnt meant you need to have a PSN account.

Tom said,
And this is why I don't have a PS3.

Really? Is it really? Thank you SO much for sharing this pointless fact with everyone. No, seriously, thank you. I feel like I can continue my day a happier person just knowing that you do not have a Playstation 3.

THANK YOU. REALLY.

Tom said,
And this is why I don't have a PS3.

So... When you decided to buy a console, you said: "oh, I better get xbox because Sony gets hacked".

Right? Also, when you got the console, seriously, did you know anything about those attacks? You bought it yesterday, for instance?

AFineFrenzy said,

Really? Is it really? Thank you SO much for sharing this pointless fact with everyone. No, seriously, thank you. I feel like I can continue my day a happier person just knowing that you do not have a Playstation 3.

THANK YOU. REALLY.

Nice Troll attempt.

I know others who have also ditched their PS3 because of security.

AFineFrenzy said,

Really? Is it really? Thank you SO much for sharing this pointless fact with everyone. No, seriously, thank you. I feel like I can continue my day a happier person just knowing that you do not have a Playstation 3.

THANK YOU. REALLY.

No need for immature comments like this. We can all be adults... Or at least strive to be...

Tom said,
And this is why I don't have a PS3.

You don't have a PS3 because Sonys security is working as it should, good logical argument there.

Tha Bloo Monkee said,

want a cookie?
you think no one ditched their 360s for red ring problems?

Hmmmm broken console or stolen identity???? Almost a good comparison, FAIL.

Corris said,

You don't have a PS3 because Sonys security is working as it should, good logical argument there.

Oh yeah, it's working splendidly. I'm sure all those user names and passwords were "guesses"...

SCRISP said,

Nice Troll attempt.

I know others who have also ditched their PS3 because of security.

As usually in such cases, everyone always "knows others" but never the same guy who replies. Interesting.

Also, it's different to say "I left PS due to its security problems, afterwards" with "I didn't bought PS 2 years ago because I knew somehow that in the future the company's problems will be revealed".

Edited by PC EliTiST, Oct 12 2011, 9:31pm :

vip said,
This is getting a bit ridiculous now ...

It's been beyond ridiculous for quite some time. Clearly Sony is a company that knows absolutely nothing about security...

M_Lyons10 said,

It's been beyond ridiculous for quite some time. Clearly Sony is a company that knows absolutely nothing about security...

So many companies got attacked by hacker recently. I don't think Sony getting hacked is anything special....

tanjiajun_34 said,
So many companies got attacked by hacker recently. I don't think Sony getting hacked is anything special....

Who else had their entire network taken down for MONTHS? Then instituted "amazing" security only to have it hacked repeatedly since? Who saw just about every one of their sites hacked? Sony is hardly "just another company that was hacked recently"...

And it's (In my opinion) made more offensive by Sony's utter lack of doing anything about it. It really shows how little experience they have in this industry. They clearly don't understand security, they CAN'T secure anything. So, they really need to rethink things I think. I know that I personally would never trust Sony with my personal information, and am glad that when I had a PS3 briefly, that I didn't provide them with any of that information.

tanjiajun_34 said,
So many companies got attacked by hacker recently. I don't think Sony getting hacked is anything special....
why not keep less information then? credit card details? addresses? breast size?
I am sure Sony (and any other major company) would be fine with 50% of the information in their systems but not once they consider cutting it to minimize severity of attacks

SHADOW-XIII said,
why not keep less information then? credit card details? addresses? breast size?
I am sure Sony (and any other major company) would be fine with 50% of the information in their systems but not once they consider cutting it to minimize severity of attacks

correct, the guiding principles of Data Protection in the UK is to carry only the information your actually require for a least time as possible.

vip said,
This is getting a bit ridiculous now ...

no it's not. it's just that since the first real major outage, now every little problem is given a headline and suckers blindly fall for it everytime.

M_Lyons10 said,

Who else had their entire network taken down for MONTHS? Then instituted "amazing" security only to have it hacked repeatedly since? Who saw just about every one of their sites hacked? Sony is hardly "just another company that was hacked recently"...

And it's (In my opinion) made more offensive by Sony's utter lack of doing anything about it. It really shows how little experience they have in this industry. They clearly don't understand security, they CAN'T secure anything. So, they really need to rethink things I think. I know that I personally would never trust Sony with my personal information, and am glad that when I had a PS3 briefly, that I didn't provide them with any of that information.

Other Sony sites had the same flaw so that's why they were taken down too. Also read about the reason why PSN was down for a month. It seems you have a habit of not reading articles which you did as well in this case. If you read this article it states that the data has come from outside their Network.

Sony has just become the main attraction for hackers. That's why it gets hacked more. Doesn't have to do with security, if they really want to break, they can everywhere.

Did you guys even read?

This wasn't an attack, nothing was taken, it was just a large attempt to log into PSN accounts with emails/passwords they had gotten elsewhere.
When Sony detected it they locked them all, their security is working fine.

Way to jump on the bandwagon.

Corris said,
Did you guys even read?

This wasn't an attack, nothing was taken, it was just a large attempt to log into PSN accounts with emails/passwords they had gotten elsewhere.
When Sony detected it they locked them all, their security is working fine.

Way to jump on the bandwagon.

That is known as an attack FYI, they claim no credit card info was lost but then immediately follow that up with claims they will reimburse if anyone is effected so in reality they have no idea what was lost or the extent of the intrusion.

Anooxy said,

Other Sony sites had the same flaw so that's why they were taken down too. Also read about the reason why PSN was down for a month. It seems you have a habit of not reading articles which you did as well in this case. If you read this article it states that the data has come from outside their Network.

Sony has just become the main attraction for hackers. That's why it gets hacked more. Doesn't have to do with security, if they really want to break, they can everywhere.

Actually if you read it carefully you will note that Sony claims that the ID and PW were obtained somewhere else; now I wonder what this cryptic statement really means. If I sign up with Hotmail and hackers obtain my data I would held MS accountable for it; I signed with them and if they gave or stored my credentials somewhere else it would not be my problem. it is also very suspicious that Sony claims that no CC data has been obtained but then they also added that Sony will refund any fraudulent charge. If credit cards were not compromised and they were absolutely sure about it why brought it up at all?

Rooster69 said,

That is known as an attack FYI, they claim no credit card info was lost but then immediately follow that up with claims they will reimburse if anyone is effected so in reality they have no idea what was lost or the extent of the intrusion.

Exactly. I think other people need to learn how to read. And alright, this was a login attempt. Gee, I wonder where they got all of these user names and passwords?? Well, I know "Sony" has them... Hm... Should anyone else have that many SONY logins? I'd wager NO...

Good grief, I shouldn't have to connect the dots... LOL

Corris said,
Did you guys even read?

This wasn't an attack, nothing was taken, it was just a large attempt to log into PSN accounts with emails/passwords they had gotten elsewhere.
When Sony detected it they locked them all, their security is working fine.

Way to jump on the bandwagon.

+1

M_Lyons10 said,

Exactly. I think other people need to learn how to read. And alright, this was a login attempt. Gee, I wonder where they got all of these user names and passwords?? Well, I know "Sony" has them... Hm... Should anyone else have that many SONY logins? I'd wager NO...

Good grief, I shouldn't have to connect the dots... LOL


I think you should read things and think before saying anything.
Is this an attack? Yeah, sort of. But it's not a security flaw. Other sites/services have your Sign-In ID / Passwords. That's because there's tons of services that you can link you PSN account, like PSN cards for forums, other networks like playfire and raptr, and I'm sure most ppl uses the same e-mail they use as sign-in ID to other online services. It's easier this way, so ppl do that.
And if they said they would refund if anything happens is because some ppl save the CC data on the account (I do), and some ppl may have some credit already in the wallet that may be used by the intruder.
I agree with Corris when he asked if you guys even read the article. But I ask you one more question: Did you guys even think before writing?

M_Lyons10 said,

Exactly. I think other people need to learn how to read. And alright, this was a login attempt. Gee, I wonder where they got all of these user names and passwords?? Well, I know "Sony" has them... Hm... Should anyone else have that many SONY logins? I'd wager NO...

Good grief, I shouldn't have to connect the dots... LOL

I'm not entirely clear on what you're attempting to insinuate with your latest comment.

It's worth bearing in mind that much of the data *claimed* compromised in the media's sensationalist furore of the attack earlier this year has come to nothing. Details were not stored in plain text files (anonymous IRC logs posted anonymously on Pastebin is hardly a reliable source of information), or that credit card details were compromised to the degree carelessly scaremongered by internet journalists. Such falsehoods are STILL paraded around comment sections and salaciously 'ROFL'd at by those that prefer the fabrication to the facts.

Aside from that, it's worth remembering that PSN accounts, once the service was restored, underwent a mandatory password reset. So if any of the stolen, hashed data was unencrypted to yield login information, it would be worthless.

Unless, of course, users went off and deliberately changed the passwords again to what they were before the mandatory password reset. Which is pretty dumb. But then people can be pretty dumb.