PSN database with 2.2 million credit card details up for sale?

The folks over at the PSX-Scene forums are reporting that over 2.2 million customers' names, addresses, phone numbers and credit/debit card information is up for grabs to the highest bidder, including the crucial three digit CVV2 numbers. According to the forum post, rumors are spreading through underground trading forums and on Twitter that the database is for sale, "a large section of the PSN database containing complete personal details along...are being offer up for sale."

The post explains how the hackers allegedly attempted to sell the details to Sony for an unknown amount but failed to get a reply, so instead they are trying to sell them to anyone with enough money. Kevin Stevens, a Security Researcher, has been following the story and tweeted earlier, "Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date", but added that "it is not a rumor, it was a conversation on a criminal forum."

Neowin has previously reported on the Playstation Network hack and the latest news, if authentic, is bound to be very alarming to millions of customers affected by the security breach. Sony confirmed the attack and the possibility of sensitive information being stolen on a blog post on their website and then urged its users to be aware of any email, telephone and postal scams that may ask users for sensitive information.

Image Source: Panoramio

Report a problem with article
Previous Story

Apple becomes more profitable than Microsoft

Next Story

Three Foxconn employees charged over leaking of iPad 2 design

99 Comments

Commenting is disabled on this article.

It would be nice if Sony would call me or at least send me an e-mail. Not that I care - one can skim my card at the gas station or steal my details from the hotel statement. That's why all credit cards are insured. I pay zero excess on fraudulent transactions and so far didn't have any hassles with my bank (happened once).

Breach said,
It would be nice if Sony would call me or at least send me an e-mail. Not that I care - one can skim my card at the gas station or steal my details from the hotel statement. That's why all credit cards are insured. I pay zero excess on fraudulent transactions and so far didn't have any hassles with my bank (happened once).

Sony Europe did send out an email which claims to have come from

"PlayStation <news@emails.eu.playstation.com>"


The sending server was sonyplaystn.bounce.ed10.net apperently so looks like they used an external mass mailing provider.


Service Update - Important information for registered users of PlayStation Network and Qriocity services

Valued PlayStation Network/Qriocity Customer:

We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
1) Temporarily turned off PlayStation Network and Qriocity services;
2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports.

We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at http://www.eu.playstation.com/psnoutage should you have any additional questions.

Sincerely,
Sony Network Entertainment and Sony Computer Entertainment Teams

Sony Network Entertainment Europe Limited (formerly known as PlayStation Network Europe Limited) is a subsidiary of Sony Computer Entertainment Europe Limited the data controller for PlayStation Network/Qriocity personal data


I didn't take any chances. I already canceled my debit card and got a new one. What's upsetting is that I can't watch my Hulu Plus on my Playstation. Thank God for Netflix and that it still works even with the authentication errors.

The people who may have a real headache waiting are the ones who use the same email/username + password combo on multiple sites or services with access to their cc info. The pw I use for PSN (if they have those, no authentication algorithm I've ever seen stores or sends passwords in plaintext) is different than any other service I use.

Well Sony said there was no evidence to suggest credit card number were taken, convenient phrasing indeed since it doesn't really state anything as fact. Either way, we'll know eventually.

Why are members on that forum not burred out? They are just talking about it and may/may not have to do anything with it....Kinda unfair.

I'll say it again: I think you should call your credit or debit card company and get them to cancel your current number and issue you a new one. I did this and I told them why (about the Sony situation) and they knew about it and were happy to oblige.

Exactly this! I'm not exactly understanding the big deal on this. Yes, Sony should have been more careful with our information, and sure it's a hassle for us now, but you call the bank up, cancel your card (stating this debacle with Sony as the reason) and they'll send you a new one, making your card details that the hackers have meaningless.

Intrinsica said,
Exactly this! I'm not exactly understanding the big deal on this. Yes, Sony should have been more careful with our information, and sure it's a hassle for us now, but you call the bank up, cancel your card (stating this debacle with Sony as the reason) and they'll send you a new one, making your card details that the hackers have meaningless.

even if every one who has a psn account calls there bank and gets a new card, the other info
the crackers have is enough to casue a head ache or too for any one the decide to
use in getting credit in their names.

I doubt that this is a situation where some small band of disorganised hackers obtained this data and is now trying to off load it on forums somewhere. The much more likely scenario is that hackers from organised crime groups gained access and is using the information for identity fraud.

Using biographical data to create fake identities, get loans, passpports etc. is much more valuable than ripping off Joe Blow for his weekly paycheck.

this is ridiculous. so trust sony is handling this responsibly *sigh* or get your credits cards reissued and all the nightmares and time that entails.

All in all just get your CC reissued. Not that hard and you keep all your statements etc. on the new card. I just hope the hackers get caught for wasting most of our time except those kiddies that just want to play cod all day or whatnot.

This is all BS. You never had to enter CCV number. Sony has said the database was encrypted. Nobody knows anything about this except for Sony and whoever perpetrated the crime, yet everybody is an expert on speculating on what happened or is going to happen.

I blame Microsoft for hiring hackers to get PS3 users addresses so they can mail them advertisements for the Xbox.. jk lol

Probably some Xbox user made this rumor up...
They already said that CVV2 info was not stored so I don't believe this for one second...

I thought that Sony confirmed to BBC News that all credit card details were encrypted... but nothing else was. So it seems that CC numbers are safe really and this is probably fake.

Fid said,
I thought that Sony confirmed to BBC News that all credit card details were encrypted... but nothing else was. So it seems that CC numbers are safe really and this is probably fake.
If you have access to the decryption keys you can decrypt it.. And depending on what they took, they could have that too..

Ryoken said,
If you have access to the decryption keys you can decrypt it.. And depending on what they took, they could have that too..

lol, bit like leaving your keys inside your super secure ignition car. Somebody smashes in and drives away your car. What un-logical brain fart would do that now...

Sadly sony was warned for MONTHS by the very people who broke their PS3's open, that their PSN was insecure. They didn't heed the warning. They were also running outdated apache and linux kernels on the servers - it was a massive mess of a network as well. If it ain't broke don't fix it...

Instead of prematurely taking it down to FIX these issues, they wait until they are sure their security is breached and they don't know how - and bring in a 3rd party company to investigate... and tell people 5 days after the fact about what truly happened and that their online community is GONE.

Good work sony. You might as well not bother bringing the network back up and shut down the games division.

CCV2 is likely never stored so this is highly unbelievable. I did however replace my debit card that was used for PSN purchased so I'm not worried anymore. Still super annoying. The funniest thing though is I'm most annoyed because I can't spam my trophies on facebook

This is a false rumor. Sony NEVER STORED CVV information on their servers as its not allowed by CC companies.

The database is a lie!

k776 said,
Sony also have a privacy act stating they keep your info private. So much for that.

I'm pretty sure they never meant to get hacked... You can state as much as you want, you can't help other people breaking into your system.

Oh, no doubt. I'm not going to go sue Sony over this like some are. They should have been encrypting everything though, esp address and phone numbers!

They should have also been more up front, not taking a 'maybe, maybe not' type approach to this whole thing. They need to say what exact credit card details could have been taken, like the CVV.

Tech Star said,
This is a false rumor. Sony NEVER STORED CVV information on their servers as its not allowed by CC companies.

The database is a lie!


I'm not so sure... Amazon never asks for my CVV number when I place an order...

Fezmid said,

I'm not so sure... Amazon never asks for my CVV number when I place an order...

They don't ask because they don't need to, the number is used for authorisation as such and is used as proof that the user has the card at the time of the purchase.

Once you've used it once on a site, you generally don't need to again because you have already authorised it with an existing purchase.
So without the CVV code theoretically they can't use it to buy anything else online, and it shouldn't be stored because it doesn't need to, but like you see all the time on the Internet, if they get into your account you've used it with then they can use your already authorised details.

Atleast that is how it works iirc, lol.

k776 said,
Sony also have a privacy act stating they keep your info private. So much for that.

When you learn to drive, you're agreeing to drive safely ... if you then run over a kid you didn't intend to run over, does that mean you're evil and you didn't give a crap? Of course not. Mistakes happen. Sure, it's a big mistake. But I truly believe that we're safe from having our cards charged and our identities stolen!

Absolute bull****, I can't believe this. Well, forget hanging around with my head in the sand, I just made a call to my bank and got them to send me a new card and cancel my old one. Can't believe this, I'm never trusting a Playstation Console with my CC information again.

Exactly what I did. Rumour or not, I don't want to wake up tomorrow will a maxed out card, so I've had mine reissued just in case.

The Teej said,
Absolute bull****, I can't believe this. Well, forget hanging around with my head in the sand, I just made a call to my bank and got them to send me a new card and cancel my old one. Can't believe this, I'm never trusting a Playstation Console with my CC information again.

Did the same, this upsets me so much, even though I know they won't be able to charge my card, God knows what info from me they got now, it's scary, they could use it for Identity theft etc.

But obviously, if they were able to steal the files, they were smart enough to steal the un-encryption keys that go with it, otherwise it would make their attack pointless.

Wow. If this is true, Sony is in for some major issues and it will crush their reputation. People are going to avoid their products, especially ones that deal with going on their PSN because of this. Sucks, glad I have a XBox 360.

NeoDecay said,
Wow. If this is true, Sony is in for some major issues and it will crush their reputation. People are going to avoid their products, especially ones that deal with going on their PSN because of this. Sucks, glad I have a XBox 360.

There's no reputation to crush. They have lost it like 20 years ago when they became cocky jackasses that stopped caring about the people who keep them in business, their customers. After this, I made a vow to never buy another Sony product again. I'm done with these douchebags!

NeoDecay said,
Wow. If this is true, Sony is in for some major issues and it will crush their reputation. People are going to avoid their products, especially ones that deal with going on their PSN because of this. Sucks, glad I have a XBox 360.

I'm still glad I sold my pile of crap Xbox .... and I can assure you, if people think it's been good to do this to Sony, Microsoft wont be far off this kind of attack. It's humans vs humans here. Remember, all security systems are made by humans ... humans are far from perfect. The bugs that exist in your favourite games ... they're tested for. And missed. Bugs also exist in secure systems. And yes, they're stronger and harder to break than games, but they're not perfect. Loop holes always exist. It is just a matter of how quickly you find and fix them before some d**khead hacks in.

i have a feeling the nsa/cia/interpol will find these idiots, put them in a locked room, and throw away the room. any pompus prick hack that is stupid enough to earn this much publicity for a hack is stupid enough to get caught. if caught sony will see that they burn on the stake.

Windows7even said,
i have a feeling the nsa/cia/interpol will find these idiots, put them in a locked room, and throw away the room. any pompus prick hack that is stupid enough to earn this much publicity for a hack is stupid enough to get caught. if caught sony will see that they burn on the stake.
Doubt it. *If* they even get caught, probably just get a slap on the wrist and be offered a job at Sony probably you know those hackers often get hired as "security experts" by the companies they bring down. That is my 2 cents, take with a grain of salt.

Xerxes said,
you know those hackers often get hired as "security experts" by the companies they bring down

Erm, are you serious? I very much doubt that Sony would hire anyone who was to blame for this debacle. Finding and reporting/exposing a security exploit is different to stealing users' personal information and resulting in major PSN downtime. I also doubt that Sony would be willing to let this slide if the perpetrators were ever found. Look at how they initially went after Geohot. That is my (logical) 2 cents.

Xerxes said,
Doubt it. *If* they even get caught, probably just get a slap on the wrist and be offered a job at Sony probably you know those hackers often get hired as "security experts" by the companies they bring down. That is my 2 cents, take with a grain of salt.

No. You're wrong. Sony wont touch this guy for a job. This guy will get destroyed and put in prison for years. And yes, they will catch him. It's not a small breach in some tiny company. This is like breaking into a bank. You're gonna get your ass handed.

Xeraxic said,
Encryption is too mainstream.

I feel sorry for everyone who put details on PSN.

You know, security through obscurity. Encryption is to obvious

Why would they have fname and lnam? Surely it would be fname and lname? Also I have never been on a website that stores the CVV2, I think that is even more of a concern though if Sony have!

Little things like that make me suspicious, but something is about to hit the fan if this is true.

dave164 said,
Why would they have fname and lnam? Surely it would be fname and lname? Also I have never been on a website that stores the CVV2, I think that is even more of a concern though if Sony have!

Little things like that make me suspicious, but something is about to hit the fan if this is true.

Maybe a typo.

dave164 said,
Also I have never been on a website that stores the CVV2, I think that is even more of a concern though if Sony have!
I've been to several that do..

virtorio said,
I thought they didn't store the CVV2 at all. Quite possibly fake.

True. They don't store CVV2 info. This is not likely to result in anything. And the sheer fact that if it was real, the guy is posting around. He will be caught. Whoever did this will definitely be caught and severely punished.

What makes me laugh is ... I work for a living. I earn good money but because I work my ass off. Literally I can't remember the last time I took a lunch break, had a holiday... yet these disgusting freaks of nature decide to simply try and TAKE what isn't theirs. It makes me sick that thieves exist. You want something? Work for it.

Assuming Sony still has their DB, they should contact all the Creditcard Companies with the list of their cards affected and render the whole thing useless.

Then Visa, Mastercard, whatever can do something about it, either nuking all the cards, or getting in touch with the owners to let them make the call how it happens.. ( as some people may require their CC in some form till a new one arrives )

Ryoken said,
Assuming Sony still has their DB, they should contact all the Creditcard Companies with the list of their cards affected and render the whole thing useless.

well, if anyone was on the network and they haven't cancelled that credit card yet, they're pretty stupid... Sony shouldn't have to do anything...

Buttus said,

well, if anyone was on the network and they haven't cancelled that credit card yet, they're pretty stupid... Sony shouldn't have to do anything...


Actually, what you said is pretty stupid. Sony should have everything to do with this. They should be notifying EVERY ****ing credit card company.

Ryoken said,
Assuming Sony still has their DB, they should contact all the Creditcard Companies with the list of their cards affected and render the whole thing useless.

Then Visa, Mastercard, whatever can do something about it, either nuking all the cards, or getting in touch with the owners to let them make the call how it happens.. ( as some people may require their CC in some form till a new one arrives )

A lot of places require CVV2, changing that would be a start.

ahhell said,

Actually, what you said is pretty stupid. Sony should have everything to do with this. They should be notifying EVERY ****ing credit card company.

no, because not everyone would want their card cancelled. I have a card that i only use for online stuff, and is watched closely. I would have left mine open and if something wrong showed up on it, then i would dispute it and maybe cancel it. so Sony just blindly having every card cancelled would be stupid... (besides the fact that if Sony was able to cancel them, the credit companies would just start mailing out millions of new cards to everyone?)

Buttus said,

well, if anyone was on the network and they haven't cancelled that credit card yet, they're pretty stupid... Sony shouldn't have to do anything...

1) What if you don't remember the card that was connected to the account?
2) Why should we be forced to cancel the card and go through the process of updating every system that card is used for (bills, etc)?

So we go from a rumor to "PSN database with 2.2 million credit card details up for sale". How has this been confirmed exactly?

Tom W said,
So we go from a rumor to "PSN database with 2.2 million credit card details up for sale". How has this been confirmed exactly?

No confirmation... just believin some folks post???

Tom W said,
So we go from a rumor to "PSN database with 2.2 million credit card details up for sale". How has this been confirmed exactly?

Again...this is the reoccurring problem that seems to be happening with all of these new "news reporters" on neowin as of late. They pick up on these rumors or half stories and plaster them on the front page as if they are breaking news. How about the reporters take a little extra time to flush out the facts and verify if it is true or false before putting it on the front page...just a thought.

We dont have access to the "underground" forums, did you even read the source we linked too? I'm guessing no. We only reported what was posted, we never verified or confirmed it in our post, only reported what we could find.

Tom W said,
So we go from a rumor to "PSN database with 2.2 million credit card details up for sale". How has this been confirmed exactly?

Read the frekin article.
"According to the forum post, rumors are spreading through underground trading forums and on Twitter that the database is for sale, "a large section of the PSN database containing complete personal details along...are being offer up for sale.""

Dude gtfo and off your high horse. Your negativism towards Neowin and inability to read is really showing how much of a girl you really are.

Tech Star said,

Read the frekin article.
"According to the forum post, rumors are spreading through underground trading forums and on Twitter that the database is for sale, "a large section of the PSN database containing complete personal details along...are being offer up for sale.""

Dude gtfo and off your high horse. Your negativism towards Neowin and inability to read is really showing how much of a girl you really are.

misogyny much?

BlendedFrog said,

Again...this is the reoccurring problem that seems to be happening with all of these new "news reporters" on neowin as of late. They pick up on these rumors or half stories and plaster them on the front page as if they are breaking news. How about the reporters take a little extra time to flush out the facts and verify if it is true or false before putting it on the front page...just a thought.

No, no, no, no, no. This is exactly what i want from Neowin, the latest news (confirmed or rumor, doesn't matter). Maybe it needs to be made more clear that its a rumor on the article title - though the article body says it.

Tom W said,
So we go from a rumor to "PSN database with 2.2 million credit card details up for sale". How has this been confirmed exactly?

You are really getting annoying as of late, you act like your someone so special but really your not!

Tom W said,
So we go from a rumor to "PSN database with 2.2 million credit card details up for sale". How has this been confirmed exactly?

Dude, every post I see of yours now is negative. Are you trolling or what?

Lexcyn said,

Dude, every post I see of yours now is negative. Are you trolling or what?

How is that pertaining to the negative? He is merely asking a question even though he didn't thoroughly read the article in length.

CoLdFuSi0n said,

You are really getting annoying as of late, you act like your someone so special but really your not!


So as Morisato points out, I ask a simple question and get a couple of subscribers throwing out insults, sounds reasonable. Clearly the title was off as it has now been corrected slightly to include a question mark. I need read the full article, I was merely pointing out the title mistake.

Xxgreatestever said,
That is utterly disgusting. Wow Sony. Never will I buy a product from your company especially a Playstation

Like Sony can really help it. You find a way into everything as long as you try long enough. I have a hard time believing Sony's servers were insecure, it's more likely that there are just some really, really good people who did this, and that it just took them really, really long.

Xxgreatestever said,
That is utterly disgusting. Wow Sony. Never will I buy a product from your company especially a Playstation

this whole thing could be a fake. hacker just wanted attention.

Ambroos said,

Like Sony can really help it. You find a way into everything as long as you try long enough. I have a hard time believing Sony's servers were insecure, it's more likely that there are just some really, really good people who did this, and that it just took them really, really long.

But it's the idea that they don't have anything to say to the public. I mean what if I had a CC stolen and tomorrow I wake up to find that I have a huge debt. I don't appreciate people commenting on Twitter about stolen CC's and Sony FAILING to respond to them, then ultimately not responding immediately to us so we can do something about it.

Ambroos said,

Like Sony can really help it. You find a way into everything as long as you try long enough. I have a hard time believing Sony's servers were insecure, it's more likely that there are just some really, really good people who did this, and that it just took them really, really long.

Ahh yeah, it's not like it's sony's duty's to encrypt data. Nahh, a plain text file is fine.

Ambroos said,

Like Sony can really help it. You find a way into everything as long as you try long enough. I have a hard time believing Sony's servers were insecure, it's more likely that there are just some really, really good people who did this, and that it just took them really, really long.

With them shutting down for 8+ days now, i have a hard time believing their servers were secure at all. If it was a one time breach, things would be up by now with one big apology, I bet their system had been breached and hackers utilized their system to their advantage and it was only noticed last week.

Xxgreatestever said,
That is utterly disgusting. Wow Sony. Never will I buy a product from your company especially a Playstation

Oh your a smart one. Your acting like Sony bent over and let them take whatever and do whatever they wanted. The hackers HACKED the servers, took down everything, and STOLE the information. Sony's security was broken into.

Your also acting like this is the only company this has happened to. Plenty of other companies this has happened to.

Tech Star said,

Oh your a smart one. Your acting like Sony bent over and let them take whatever and do whatever they wanted. The hackers HACKED the servers, took down everything, and STOLE the information. Sony's security was broken into.

Your also acting like this is the only company this has happened to. Plenty of other companies this has happened to.

For the credit card number what about some proper hash encryption. How would they be able to get all of these details then? I'm acting this way because Sony's Playstation is huge, what is to say this won't happen again?

Xeraxic said,
Ahh yeah, it's not like it's sony's duty's to encrypt data. Nahh, a plain text file is fine.

They said that the CC data was encrypted and that I guess name/address stuff wasn't.

Xxgreatestever said,
That is utterly disgusting. Wow Sony. Never will I buy a product from your company especially a Playstation

Yes, because Sony totally voluntarily gave this stuff to some random hacker, right?

I don't understand what is so outrageous with not wanting to buy products from Sony after all this. I don't think you guys understand the gravity of what has happened. People's lives could possibly be ruined because of this. Identity theft is a huge deal for the average Joe. Further, we're not just talking about a few hundred or thousands or hundreds of thousands. We're talking about millions of people's financial future at risk.

Is it reasonable to be cautious? Absolutely.

Xeraxic said,
Ahh yeah, it's not like it's sony's duty's to encrypt data. Nahh, a plain text file is fine.

Apparently you never bothered to read the latest psn blog and just assumed what everyone else assumes these days. Typical.

Morisato said,

Apparently you never bothered to read the latest psn blog and just assumed what everyone else assumes these days. Typical.

Yeah, see thats what makes this bad. A Typical user who plays for casual gaming isn't going to go around and read PSN blogs etc. Sony should come up with a better way of getting information to people. Maybe have a global message up at the top letting users know about this problem? Remember that not all people understand/know what's going on.

Xenosion said,
I don't understand what is so outrageous with not wanting to buy products from Sony after all this. I don't think you guys understand the gravity of what has happened. People's lives could possibly be ruined because of this. Identity theft is a huge deal for the average Joe. Further, we're not just talking about a few hundred or thousands or hundreds of thousands. We're talking about millions of people's financial future at risk.

Is it reasonable to be cautious? Absolutely.

100% correct. Once your account has been compromised, the CC company has to send you a new CC, you sometimes have to fill forms up etc and people don't like to do this especially when all they wanted to do was maybe purchase a game or a movie from the network.

LiquidSolstice said,

Yes, because Sony totally voluntarily gave this stuff to some random hacker, right?

This is the biggest hack in the history of the Internet and you can say Sony voluntarily gave this stuff to the hackers. They fail to secure personal data of 77M users. The breach took place on April 14, it took Sony 7 days to to find it and shut down PSN on April 23, another week has passed and still Sony didn't come forward with explanations about what really happened.

Xxgreatestever said,

For the credit card number what about some proper hash encryption. How would they be able to get all of these details then? I'm acting this way because Sony's Playstation is huge, what is to say this won't happen again?

Like with all encrypitions you have a system to enqruipt it, and one to decrypt it. Sure you can say you will never know the password, but is it really neccisary to do so? Looking to Windows 7 bitlocker. How can such system know within seconds that i've used the correct password? Because my password is saved somewhere on the hardrive? Because it uses my filled in password to check with a file or something to see if it's readable or not? Abusing THAT system to check if a password is correct sounds to me like a easy way to enqruipt any stuff. This hacker probably learned how the system worked, and found that little system and used it to deqruipt all info....


For you I agree with the question, will it ever happen again? I guess it will, and i'm sure the risk is higher when using Sony products compared to (here I go again) Microsoft products. But even I am considering the removal of my cc info on xbox just to be sure. So even on xbox, i'm scared because of this attack...

Peter van Dam said,

Like with all encrypitions you have a system to enqruipt it, and one to decrypt it. Sure you can say you will never know the password, but is it really neccisary to do so? Looking to Windows 7 bitlocker. How can such system know within seconds that i've used the correct password? Because my password is saved somewhere on the hardrive? Because it uses my filled in password to check with a file or something to see if it's readable or not? Abusing THAT system to check if a password is correct sounds to me like a easy way to enqruipt any stuff. This hacker probably learned how the system worked, and found that little system and used it to deqruipt all info....


For you I agree with the question, will it ever happen again? I guess it will, and i'm sure the risk is higher when using Sony products compared to (here I go again) Microsoft products. But even I am considering the removal of my cc info on xbox just to be sure. So even on xbox, i'm scared because of this attack...

You have no clue how bitlocker works do you ?

Kosh Naranek said,

You have no clue how bitlocker works do you ?

No.... I'm no security expert, so I don't know how such thing exactly works. But it was a feeling i've had. In my opinion, if a program can know a inserted password is the correct one, their is something it does so it can see it's right. I don't know how such thing is done, but the program is doing it. So with that program being able to do it, it can be abused at some part. I mean, if that program says, read file abc.dll in folder /hidden, replace a with z, d with y, the abuser can use this to calculate the enqrypted file and decrypt it.

But again, I can be completely wrong, but hopefully this clarifies my opinion.

alexalex said,

This is the biggest hack in the history of the Internet and you can say Sony voluntarily gave this stuff to the hackers. They fail to secure personal data of 77M users. The breach took place on April 14, it took Sony 7 days to to find it and shut down PSN on April 23, another week has passed and still Sony didn't come forward with explanations about what really happened.

The rumours suggest this was a PHYSICAL breach. The intruder used direct access to the servers. The whole PSN platform has been moved to a new location.

Peter van Dam said,

No.... I'm no security expert, so I don't know how such thing exactly works. But it was a feeling i've had. In my opinion, if a program can know a inserted password is the correct one, their is something it does so it can see it's right. I don't know how such thing is done, but the program is doing it. So with that program being able to do it, it can be abused at some part. I mean, if that program says, read file abc.dll in folder /hidden, replace a with z, d with y, the abuser can use this to calculate the enqrypted file and decrypt it.

But again, I can be completely wrong, but hopefully this clarifies my opinion.

Encryption is done with a one-way function (that means you can go from a -> b but not from b ->a where a is the original pass and b the encrypted value). What programs do to understand that your pass is correct is to apply that function every time you enter your password. So if you enter a then f(a) = b. Then it checks with the one it has stored on your HD.

A simplified way to explain it, just to show that your computer only reads the stored pass for comparison reasons and doesn't manipulate it in someway to get back to the original one.