May 3, 2011
Just when it seemed safe to go back in tubes another trug of turd hits the fan. Today Playstation Network and qriocity were supposed to be fired back up, limping on three cylinders, but usable. D-Day came and twitter was alight with “is PSN back up yet?” messages. Most users were memed in return with this link: http://www.ispsnupyet.com/.
That’s going to continue for a while, mainly because Sony appear to have made a bit of a school boy error. While they were busy dealing with the exploit that allowed 77 million users data to be stolen they sort of forgot to check whether other parts of their business could be breached in the same way. Cue the head of security for Sony Only Entertainment going very pale while the sound of 100 million facepalms echo across cyberspace.
100 million? Yes, 100 million. That’s the 77 million users on PSN who originally had their data stolen, PLUS the 26 million SOE clients whose details have now also been stolen. It was such a bog deal that Sony Online Entertainment requested that the information be posted to the Playstation blog in this post.
Tokyo, May 3, 2011
- Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT). SOE is based in San Diego, California, U.S.A.
This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen
This means that PSN, qriocity and SOE are all offline while Sony resolves the issue. There’s no information at the time of writing as to when PSN or any of the other services are likely to be live again.
The good news is that that was the bad news.
The Good News
The good news is actually information that should have been released at the same time as the original “oops we’ve had a boo-boo” press release. In the original press release, FAQs and even the emails that were sent to some PSN users it stated that information including passwords had been stolen. And they weren’t encrypted.
It turns out that semantics made a bad situation into a nightmare for the millions of users who scrabbled to change their passwords on as many sites as they could remember in case the nefarious net villains started plundering everything from Paypal to Neopets. Sony revealed yesterday that while the passwords were not encrypted, they had been hashed.
Well why didn’t they just say so!?
For those with the puzzled expression on their faces right now, hashed information is one step away from full on encryption. It means that passwords were not in clear text and so can only be revealed if the hash-key is known. It’s extremely unlikely that Sony would leave the hash key lying around for anyone to steal….. maybe a topic for a future press release from Sony though?
Essentially, passwords are safe (for now).
Now we just have to wait for the services to come back online and everyone can get back to normal.