Sony: PSN intruder may have taken credit card info

Sony-Building-Logo.jpg Sony reports that an intruder may have gleaned users' personal information, including credit card details, from its PlayStation Network. The PSN's been offline for nearly a week now while the company investigates. Though the first order of business for PSN customers is to call their bank and keep a close eye on the ol' credit card balance, the BBC warns people to be aware of more insidious schemes that exploit mundane personal details, such as telephone scams and identity theft. [BBC]


  1. At first I was all like
    “Haha stupid PS3 owners getting their personal information stolen”

    and then I thought about it and I was like
    “oh fuck this is bad.”

    Sony had better have some very good excuses that aren’t just “yeah well it was the h4kx0rs, not our fault”.

  2. Had to call one of the CC companies to cancel the card out. It wasn’t tto bad because it wasn’t used too much.

    I have this feeling that I’m going to just cancel and get a new card every 8-12 months regardless anymore.

  3. Prepaid PSN cards. Always used them on the off chance my home is broken into and my PS3 stolen…

    Cool, change my password and the only downer for me will have been a long weekend with no multiplayer.

  4. Well, that sucks. You would think that a service with 50mm users would have decent security.

    1. You would think that a service with 50mm users would have decent security.

      Or at least smaller controllers.

  5. Here’s some informative worst-case scenario forecasting:

    “But the nightmare scenario would be if the attackers used Sony’s exposed root key to sign a back-doored firmware image or other low-level software update. If they then compromised the PSN update servers they could use them to deliver the malicious update to everyone through the normal trusted channel.

    Wikipedia reports 50 million PlayStation 3 units and 70 million PlayStation Network users, suggesting that a large percentage of these units are given internet connectivity on an ongoing basis. This attacker could potentially have created overnight the largest botnet in the world by a very large margin.

    Most of these PS3 units sit behind the firewall, in homes with weak internal network security (to put it mildly). This puts them in the perfect position to conduct local-LAN man-in-the-middle attacks on home users using the basic techniques of ARP spoofing and DHCP jumping.

    Furthermore, each PlayStation 3 is something a supercomputer in its own right. Each has 6 to 9 high-performance cores (depending on how low-level the code executes) running at 3.2 GHz, plus an Nvidia GPU. In 2008, researchers using “just” 200 PS3s for a weekend were able to forge a rogue CA certificate of a type trusted by web browsers to authenticate the identity of any webserver.

    So if this attacker played their cards right they could control up to 500,000,000 CPU cores for a total of 1,600,000,000,000,000,000 core-cycles per second. Of course, the actual rate would be lower because not everyone would apply the firmware, have their PS3 connected, and so on. But still, even 10% of this type of computing capacity is far beyond what many important data security and cryptographic systems are expected to resist. For example, it seems likely that the Stevens et al. techniques could be used again successfully to forge a stronger SHA-1-based rogue Certificate Authority (or several).”

    1. Does anyone else get a tingling feeling in their spine when reading this? A thrill of nervous excitement? How crazy would it be if someone with a large agenda took control of a botnet this big?

      The possibilities…

  6. What I don’t understand is how is this Sony’s fault? I seem to remember sites just like this one enabling hackers to breach the system. I see a class action suit against George Hotz being more affective than against Sony.

    No system is entirely secure as long as the door is slightly ajar.

    I’m pissed, not at Sony, but for self righteous zealots who ruining good things. Hate DRM? Want to buy an e-book or play a Steam game without being treated like a criminal.

    Our future isn’t going to be open as long as this type thing exists and you condone rather than condemn the actions.

    1. Fuck you, Sony PR bot!

      “Leave Sony alone! Don’t blame the bank that leaves it’s vault open! Blame the robbers who walk into the open vault and walk out with your cash! Nobody would’ve even known that the vault was open if you hadn’t tried to tell the bank that it was in the first place!”

      1. Dear Bill,
        PR Bot does not compute. Your sad attempt at replacing secured system with open vault bank is non sequitur… error. error.

        An open vault implies no security. Robbers are still thieves no matter how you split hairs.

        Upwards around 70 million people had their data possibly stolen and you say “who cares? They apparently weren’t secure. F* Sony.”

        Tell me Bill is your home address on Amazon, iTunes? Or do you trust some portion of your internet life with your bank account and/or credit card. No? Yes.

        Well, I hope not! If Apple, Amazon or anybody faltered in your fantasyland impression of them… then down it goes further down the spiral.

        Hell even credit card companies nor banks are secure, but by all means lets aim for the limelight and exploit the system.

    2. Anon, how is it NOT Sony’s fault? 70 million people trusted Sony with their personal data, and Sony failed to protect that data. Crackers are a fact of life – yes, they’re criminals, but Sony can’t wave a magic wand and make them suddenly disappear, so their only course of action is to secure the data that they keep on those 70 million customers. They failed to do that, and they betrayed the trust of their customers.

      As you say yourself:

      “No system is entirely secure as long as the door is slightly ajar.”

      Why was the door slightly ajar?

    3. Anonymous you are a criminal stop acting like you are the good guy here. I have been a sony customer for 9 years. you are wasting everyones time with this if you stop doing what your doing maybe people would start to respect you instead of wanting to kill you for this. end this bullsh** and let people get on with there lives instead of sitting at their desks watching their credit card information.

  7. For all of you who think Sony had it coming, did the gamers have it coming too? Because that’s who this effs with. Sony will just issue a few placating press releases, rebuild their network, and continue prosecuting end-users for exercising their right to fair use of hardware they paid good effing money for.

    To any Anons who may have had a part in this, stop attacking other end-users. All you’ve accomplished is to galvanize other end-users against you and given Sony and the rest of the copyrent establishment an excuse to clamp down harder. Attacking end-users is counterproductive.

    1. > For all of you who think Sony had it coming, did the gamers have it coming too?

      It should be readily apparent to consumers that Sony is not to be trusted.
      Remember their audio CD rootkit? Or SecuROM (developed by Sony)? Or that time they removed Linux functionality from the PS3? Or when they waited an entire week to tell 70M customers they were owned? Or when they threatened tens of thousands of people with litigation for copyright infringement and settled for exorbitant damages? Or when they sued a hacker for reverse engineering and got the logs from his website and sent cease and desists across the web? Or when they built their PSN and their trusted developer network without any seperation so that dev access could be used to dump the data on every single on of its users? Oh right, that just happened.

      1. Hey, you’re preaching to the converted. There’s no love lost between me and Sony. I hit the roof when I found the rootkit on my old server.

        My only point was that punishing the gamers isn’t helping. That litany of offenses is proof that Sony as a corporation doesn’t give a crap about their customers, so attacking them won’t slow Sony down.

  8. Sony should not have sued GeoHot, they should have done it like Microsoft, kill the online capabilities for consoles that use Pirated discs. Then whatever happens its the pirate’s fault, it won’t have anything to do with openness, the rights of owners with their gear, none of that tangled yarn. Microsoft actually did it the best way.

  9. Not all members of the Playstation network have credit card info with Sony, so the 69 million figure is not really active users of the Playstation network. Some fraction of that number play games or whatever the Playstation network sells.

    Millions use their PS3 for watching movies on BluRay and for watching Netflix streaming. They only have an annoyance of having to press buttons fast to make Netflix load despite the Playstation network being down.

    If this turns out to be anti-Sony zealots who did the attack, instead of, say, organized crime looking for credit card info, those folks should rot in jail just like the credit card thieves should.

  10. To be excusing Sony, and instead saying things against ‘anti-Sony zealots’, when there is zero evidence that any zealot of any kind was involved in this breach, but no denying that Sony’s poor security practices are involved, reveals any internet commenter as a credulous, corporate lickspittle. If you are talking or thinking about the bad effects of anti-Sony zealotry rather than the bad effects of Sony’s careless, anti-consumer network practices, then you are fundamentally irrational and prejudiced. Think about what the actual confirmable evidence says, and then think about what is going on in your brain.

    Try to have the two things bear at least some resemblance to each other. Otherwise you are merely a Sony apologist ready and willing to bend over for another paddle from the kind of authority to whose asshole you’re so eager to apply your lips that evidence appears to be irrelevant to you.

    1. @21: So any time a computer gets hacked, it is the fault of the computer for being “careless”? Ok, we’ve heard from the apologists-for-hackers contingent. Disgusting.

      1. My point is that you have zero evidence that any ‘Anti-Sony zealot’ was involved in this breach. You have no evidence of the beliefs or associations of the hackers behind it. By identifying them as ‘anti-Sony zealots’ you have made an unverifiable statement. You just assume that ‘hacker’ = ‘anti-Sony zealots’ but that is not a fair assumption. We know that there was a hacker but we have no evidence of any motive and in fact the profit motive would be plenty all on its own.

        Whereas, there is no denying that Sony was involved. You can’t argue that Sony didn’t get hacked, that some other company got hacked instead.

        Do you see now how you are letting your prejudices control your conclusions without any grounding in the facts?

        A hacker hacked Sony and stole customer information. This says something about the hacker’s ethics and it also says something about the weakness of Sony’s security. But it doesn’t demonstrate anything about any ‘anti-Sony zealot’ — the political beliefs of anyone regarding Sony are simply not part of the fact-based picture here. So yes it is in fact your bias that is disgusting; even more so that you can’t even recognise that you are throwing blame at people with a certain opinion, based on zero evidence that they had anything to do with anything.

  11. I think that the security of the internet is now an international problem. Now that organized crime and governments that operate like organized crime syndicates are exploiting the holes in the internet, it’s time to fix the holes.

    The risk is that national borders will start to crop up in cyberspace. So far, there are a few (such as the great firewall of China).

  12. Ok we can agree hackers are general bad (theft of infomation, illegal access, etc). Catch’em, prosecute’em, move on.

    “Did SONY fail to protect its customers?” is the question.

    Well, is there anyway SONY could have closed “every door that was left ajar”? NO WAY… simply impossible (other than disabling network access of course).

    Is there anyway SONY could have detected the intrusion once it started, mitigating damages / reducing exposure? Yes, ABSOLUTELY yes!!! Intrusion detection is the FIRST line of defense of financial and government institutions – without it – any unauthorized users, once in, can move around unchecked (like in this debacle).

    Sooooo… Did SONY implement any intrusion detection mechanisms? and if so to what extent? No one knows. (and why is that?)

    I submit that SONY’s lack of intrusion detection left its customers exposed to theft (of person information) for an unjustifiable period of time. I base this solely on SONY’s PR communications: there was NO mention of intrusion detection mechanisms (again why is that?) and no detail on how or when the breach was identified.

    This is the failure SONY will be answering.

    Remember hackers are bad; and they are out there.

    SONY… Feel free to leave the door ajar provided your taking good care of your vicious guard dog :)

  13. I just received my email from Playstation and Sony concerning this “intrusion”-

    Valued PlayStation(R)Network/Qriocity Customer:

    We have discovered that between April 17 and April 19, 2011,
    certain PlayStation Network and Qriocity service user account
    information was compromised in connection with an illegal and
    unauthorized intrusion into our network. In response to this
    intrusion, we have:

    1) Temporarily turned off PlayStation Network and Qriocity services;

    2) Engaged an outside, recognized security firm to conduct a full
    and complete investigation into what happened; and

    3) Quickly taken steps to enhance security and strengthen our
    network infrastructure by rebuilding our system to provide you
    with greater protection of your personal information.

    We greatly appreciate your patience, understanding and goodwill
    as we do whatever it takes to resolve these issues as quickly and
    efficiently as practicable.

    Although we are still investigating the details of this incident,
    we believe that an unauthorized person has obtained the following
    information that you provided: name, address (city, state, zip), country,
    email address, birthdate, PlayStation Network/Qriocity password and login,
    and handle/PSN online ID. It is also possible that your profile data,
    including purchase history and billing address (city, state, zip),
    and your PlayStation Network/Qriocity password security answers may
    have been obtained. If you have authorized a sub-account for your
    dependent, the same data with respect to your dependent may have
    been obtained. While there is no evidence at this time that credit
    card data was taken, we cannot rule out the possibility. If you have
    provided your credit card data through PlayStation Network or Qriocity,
    out of an abundance of caution we are advising you that your credit
    card number (excluding security code) and expiration date may have
    been obtained.

    For your security, we encourage you to be especially aware of email,
    telephone and postal mail scams that ask for personal or sensitive
    information. Sony will not contact you in any way, including by email,
    asking for your credit card number, social security number or other
    personally identifiable information. If you are asked for this information,
    you can be confident Sony is not the entity asking. When the PlayStation
    Network and Qriocity services are fully restored, we strongly recommend that
    you log on and change your password. Additionally, if you use your PlayStation
    Network or Qriocity user name or password for other unrelated services or
    accounts, we strongly recommend that you change them as well.

    To protect against possible identity theft or other financial loss, we
    encourage you to remain vigilant, to review your account statements and
    to monitor your credit reports. We are providing the following information
    for those who wish to consider it:
    – U.S. residents are entitled under U.S. law to one free credit report annually
    from each of the three major credit bureaus. To order your free credit report,
    visit or call toll-free (877) 322-8228.

    – We have also provided names and contact information for the three major U.S.
    credit bureaus below. At no charge, U.S. residents can have these credit bureaus
    place a “fraud alert” on your file that alerts creditors to take additional steps
    to verify your identity prior to granting credit in your name. This service can
    make it more difficult for someone to get credit in your name. Note, however,
    that because it tells creditors to follow certain procedures to protect you,
    it also may delay your ability to obtain credit while the agency verifies your
    identity. As soon as one credit bureau confirms your fraud alert, the others
    are notified to place fraud alerts on your file. Should you wish to place a
    fraud alert, or should you have any questions regarding your credit report,
    please contact any one of the agencies listed below:

    Experian: 888-397-3742;; P.O. Box 9532, Allen, TX 75013
    Equifax: 800-525-6285;; P.O. Box 740241, Atlanta, GA 30374-0241
    TransUnion: 800-680-7289;; Fraud Victim Assistance Division,
    P.O. Box 6790, Fullerton, CA 92834-6790

    – You may wish to visit the website of the U.S. Federal Trade Commission at or reach the FTC at 1-877-382-4357 or 600 Pennsylvania
    Avenue, NW, Washington, DC 20580 for further information about how to protect
    yourself from identity theft. Your state Attorney General may also have advice
    on preventing identity theft, and you should report instances of known or
    suspected identity theft to law enforcement, your State Attorney General,
    and the FTC. For North Carolina residents, the Attorney General can be
    contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone
    (877) 566-7226; or For Maryland residents, the Attorney
    General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202;
    telephone: (888) 743-0023; or

    We thank you for your patience as we complete our investigation of this
    incident, and we regret any inconvenience. Our teams are working around the
    clock on this, and services will be restored as soon as possible. Sony takes
    information protection very seriously and will continue to work to ensure that
    additional measures are taken to protect personally identifiable information.
    Providing quality and secure entertainment services to our customers is
    our utmost priority. Please contact us at 1-800-345-7669 should you have any
    additional questions.


    Sony Computer Entertainment and Sony Network Entertainment

  14. @ Anon #20

    > Is that sign a reflection of “YONS”?

    If it is, the N and S are backwards on the sign being reflected. But yeah, it looks like a reflection with those letters flipped. Odd. Talk about screwing with future archeologists heads. Makes you wonder what sort of mind games ancient cultures might have been playing on us.

    @ Anon #24

    > Remember hackers are bad; and they are out there.

    Black hat hackers, yes. White hat, not so much. Grey hat, depends on what you’re definitions of good and bad are. Of course not knowing who actually perpetrated this identity data theft, we can only speculate. If it was financially motivated black hat mercenaries working with or as identity thieves, then you’re on point that they’re a bad fact of online life. If it was an idealistically motivated grey hat move against Sony, then I don’t think it will achieve the ends it was meant to.

    1. It’s shopped. Look at the reflection on the S, see how in focus it is and look at the reflection on the Y and how blurry it is. Now compare it to the N and O, and you’ll notice the reflection on the O looks mostly in focus like the S while the reflection on the N is blurry like the Y. Also, you can make out the sidewalk and street in the O and you’ll notice it is not horizontal.

  15. we should get £50 each for the time we have lost to get up levels on games the people who have been hacked should get there money back because its not very fair really in my opinion.

Comments are closed.