Sony warned today that intruders had broken into its PlayStation online game network, a breach that may have jeopardized the user names, addresses, passwords and credit card information of up to 70 million customers.
In a post to the company’s PlayStation blog, Sony spokesman Patrick Seybold said the breach occurred between April 17 and April 19, and that user information on some PlayStation Network and Qriocity music streaming accounts was compromised. The company said it had engaged an outside security firm to investigate what happened, that it was rebuilding its system to better secure account information, and that it would soon begin notifying customers about the incident by email.
From that blog post:
“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
“For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.”
In short, if you have a PlayStation account, your name, address, email, birthday, user name and password have been compromised, and if you gave Sony a credit card number to fund your account, that and the card’s expiration date may also may have been taken (Sony says no card security codes were lost). Obviously, this becomes a much bigger problem for users who have ignored advice about how to choose and use passwords: If you are a Sony customer and picked a password for your PlayStation account that matched the password for the email account you used to register at Sony, change your email password now.
The first signs of trouble came nearly a week ago, when the PlayStation network went offline. Sony subsequently published at several blog posts apologizing for the outage. On April 22, Sony acknowledged that its networks had been breached, and a day later the company said it was rebuilding its system, but it didn’t disclose the extent of the breach until today. Judging by the comments left on the company’s blog post today, many PlayStation users are irate over having been kept in the dark for so long about the severity of a breach that potentially affects their personal and financial information.
It remains unclear what may have caused the breach, and while there are many theories, one explanation seems to hold more water than the rest: TorrentFreak cites a Reddit.com posting from “Chesh,” a self-proclaimed staff member from psx-scene.com, a site dedicated to hacking and modding PlayStations. According to Chesh, the breach came about because of a glitch in the system that allowed “extreme piracy of PSN content.”
Chesh believes that the problem stems from the availability of a new CFW (custom firmware) for the PlayStation 3. CFWs give hardware modified functionality and REBUG, as it’s known, turns a standard PS3 into a machine which provides access to some of the PSN’s features usually reserved for developers.
REBUG, which was released on the last day of March, apparently has a trick up its sleeve in that it is able to get previously hacked Playstation 3 consoles back online after they’d been excluded by Sony. It’s not a feature built in by design, but one that users have learned how to exploit. Chesh reports that some REBUG users were initially using it to play Call of Duty on the dev networks around April 3rd. Neat enough in itself but there was a monster in the shadows.
Since REBUG allowed users to connect to a previously secure and private developer network, certain information provided by users wasn’t security checked by Sony. According to Chesh, one of the items whose authenticity was never checked was – unbelievably – credit card numbers. People could apparently make them up and get access to whatever content they wanted.