Sony PlayStation Network and Qriocity Services Hacked – 77 Million Accounts at Risk

Not one to let Epsilon or Oak Ridge National Laboratories hog the media spotlight, Sony, a seasoned expert at security blunders such as the famous Sony rootkit, has taken the spotlight for one of the biggest security breaches of all time. Hackers were able to access Sony’s network and according to Sony http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/ the information compromised includes “name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.”

Given the number of users who use the same password for multiple sites, I would expect there to be a ton of accounts compromised. This will go far beyond PlayStation, email and social networking accounts are likely to be compromised and even bank accounts as well.

If you have a Sony PlayStation Network/Qriocity account you need to assume that all of the data mentioned is in the hands of the bad guys. If you use the same security questions and answers at other web sites, you need to change the answers. Take a look at http://blog.eset.com/2009/05/04/honesty-is-not-the-best-policy-for-password-resets for pointers. If you use the same password on other sites that you used on the Sony site, you need to change those passwords. Of course you will need to change your Sony password when the PlayStation Network site comes back online.

Sony has additional recommendations at http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/. One of the recommendations that bears merit is for US residents to have the major credit reporting agencies place fraud alerts on their files. Sony warns that this may make it difficult for criminals to open credit in your name, but it also may make it a bit more of a hassle for you to open new lines of credit.

I am struck by the contrast between this incident where Sony is warning people that there is a problem and the Sony rootkit fiasco where Thomas Hesse, President, Sony BMG Global Digital Business, said “Most people, I think, don't even know what a Rootkit is, so why should they care about it?” Perhaps Sony knows that most people do know what identity theft and fraud are.

If you are a security expert looking for a job, I would keep my eyes on the Sony website as clearly they have significant need for experts who understand defense in depth. Knowledge of encryption and multi-factor authentication systems will probably be desired as well.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Author ESET Research, ESET

  • Voyager529

    A few thoughts…
    1.) I'd imagine that any financial institution, as a result of this development, should summarily reissue new credit cards to any accounts that were, at any point, debited for a PSN transaction…the bill going to Sony of course.
    2.) I find it interesting that Anonymous, the group notorious for being anti-Sony, is denying responsibility for this. None of the 4chan groups or scene groups have yet to claim responsibility yet. It does raise the question as to whether this was a Sony specific issue, or Sony simply happened to be the target with the best effort:reward ratio.
    3.) Given the nature of the service (PSN isn't quite the same as eTrade or something else that is more directly financial), I'd wager that multi-factor authentication might be a bit overkill. It's important, but when things get difficult the human factor comes into play, and we hear about 77 million independent stories of brute forcing dictionary terms instead of a comprehensive data theft.
    4.) If you're any good at security, I'm certain that Sony is hiring. Five days without PSN/qriosity just as they're releasing a new tablet that prominently showcases those services tells me that heads are rolling.
     
    Joey

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

2 articles related to:
Hot Topic
26 Apr 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.