Sony has another security headache on its hands, but don’t call it a hack.
According to the official Playstation blog, some entity was trying to sign in to users’ accounts on the Playstation Network, the Sony Entertainment Network and Sony Online Entertainment, using “a massive set” of login data obtained elsewhere. The attackers likely got a hold of a large username and password database, and were trying to see if any of those logins worked on Sony’s networks.
Playstation Network users may no longer file class action lawsuits against Sony, under a new user agreement that players must agree to before signing into the network. Now, PS3 and PSP owners will have to sue individually or seek arbitration for issues like security breaches or the removal of advertised features.
And guess what? The policy change is probably legal thanks to the Supreme Court.
Sony just can’t get back on track. On Wednesday evening, the Playstation Store came back online, finally making the Playstation Network whole again after April’s devastating security breach.
But now, a group of hackers known as Lulz Security claims to have breached Sony Pictures’ website, stealing e-mails, passwords, addresses, birth dates and opt-in information for more than a million users. All of this information is now posted to the Internet.
To be clear, we’re talking about two different divisions of Sony. The hacking of Sony Pictures has no effect on the Playstation Network. Still, this is another embarrassing security breach for Sony, and a sign that the company isn’t finished fending off hackers. It’s not even the first attack since the breaches of PSN and Sony Online Entertainment in April. Other smaller attacks have included a leaked database in Japan and a phishing scam site on Sony’s Thai web domain.
On the bright side, the Playstation Network has remained relatively stable since online play resumed in mid-May. That’s the best way Sony Computer Entertainment can redeem itself, along with the “welcome back” package of free games and other benefits that’s reportedly in its final testing stages.
But as a whole, Sony needs to show its customers that it’s taking security more seriously. Obviously, the entire company is now a target, and customers are the innocent bystanders. Perhaps it’s time for CEO Howard Stringer to change his tone.
It took a few weeks, but Sony is making good on its promise of free identity protection to Playstation Network users.
The service, good for one year, is offered through AllClearID PLUS, and is available to anyone who activated a PSN account before April 20. To get the service, enter your e-mail at Sony’s identity theft protection page. Within 72 hours, you’ll get an activation code, which must be redeemed at AllClear’s website by June 28. The AllClear package includes $1 million of identity theft insurance, cyber monitoring and other perks.
The Playstation Network was hacked between April 17 and April 19, forcing Sony to shut down the network for four weeks. Nearly a week after confirming the outage, Sony revealed the full extent of the damage: Hackers stole names, e-mails, addresses, birthdates and passwords. There was no evidence of credit card theft on the Playstation Network, but a separate attack on Sony Online Entertainment resulted in the theft of 12,700 credit card numbers. All but 900 were expired, Sony said.
At this point, I wonder how many people are going to take Sony up on the identity theft protection offer. Judging from the reader reaction here and on other blogs, there was a strong sentiment of “I don’t care about the data, just let me play Call of Duty again.” Sony began restoring Playstation Network services on May 14, although the Playstation Store for downloadable content remains down until the end of this month.
The Playstation Network may be back online, but the hacking of Sony’s websites never ends.
Facing increasing criticism of his company’s handling of the PSN hack — and now apparently a new security issue — Sony’s CEO Sir Howard Stringer has suddenly become much more vocal in striking down critics. The company’s new logic appears to be that “no network is 100 percent secure,” and that the attack on its servers was “unprecedented.”
Stringer’s comments came in the form of interviews with several outlets, including Bloomberg, Reuters, the Wall Street Journal, and others. He argued that the company’s notification of the hack within a week was faster than other companies have alerted their own users of data loss, sometimes months after the fact.
One of Sony’s new Playstation Network security measures has turned into another vulnerability.
As Eurogamer describes it: Anyone who signs into the Playstation Network after the outage is required to change his or her password. But with this exploit, all you need to make the change is the e-mail and date of birth associated with the account. This information was compromised during the PSN breach last month, which means hackers could use the vulnerability to take control of users’ accounts. The exploit was first reported by Nyleveia.com, and confirmed to Eurogamer with video evidence.
Of course, this isn’t a problem on actual consoles. A hacker on the other side of the world can’t change your login from your living room. But it does present an issue for Sony’s websites, where Sony has now shut down the login process entirely.
To be clear, the exploit has no impact on the Playstation Network itself, which was back online as of Saturday. And I doubt many people were affected, but if you were, you’d have received an e-mail from Sony saying your password was changed. If you’ve already changed your own password, there’s nothing to worry about.
Still, the exploit is another blunder by Sony, which spent four weeks rebuilding the Playstation Network to prevent future attacks, and brought in outside experts to make sure everything was clean. I guess they missed a spot.
Poor Sony. In addition to rebuilding the Playstation Network and enduring weeks of well-deserved criticism for letting hackers through its defenses, the company faced one more unenviable task: creating a “Welcome Back” package that will actually pacify customers.
The result is rather generous. Playstation 3 users get to choose from two of the following: Dead Nation, inFamous, LittleBigPlanet, Super Stardust HD and WipeOut HD + Fury. PSP users get two games from another list: LittleBigPlanet for PSP, Modnation Racers, Pursuit Force and Killzone Liberation. Everyone gets a free weekend of selected movies, 30 days of Playstation Plus (or 60 if you’re already a subscriber) and 100 free items in Playstation Home. Music Unlimited users get 30 free days.
I assume most people are mainly interested in the free games, which make up the bulk of the retail value in this apology package. And while I have a hard time faulting Sony for giving away so much — the PS3 package has a maximum $60 value — I also can’t shake the feeling that Sony’s best customers are getting a raw deal.
The official PlayStation Network blog has news of what Sony’s going to offer PSN fans by way of apology for the weeks-long outage and security breach: free games, movie rentals, service extensions, and more.
Here’s Kazuo Hirai, president of Sony Computer Entertainment, announcing that the PlayStation Network is on its way back online after its amazing, amazingly lengthy outage:
[vodpod id=ExternalVideo.995773&w=425&h=350&fv=flashVarText%3Dfake%3D1%26pvrn%3D10173%26key%3D7d63c65a%26viewToken%3Df14134cb%26enablecallbacks%3Dt]
Seems like he struck the right tone: apologetic and acknowledging that Sony has to rebuild trust, and with a minimum of self-pity over the fact that the problem stemmed from an illegal hacker attack.
Sony isn’t just flipping a switch that will put things back to normal: it’s rolling out the restoration region by region, state by state, and city by city. It’s also requiring PSN users to install a firmware upgrade and (understandably) change their password to get back online. Some parts of the PSN and Qriocity services, such as the PlayStation Store, aren’t part of the initial reboot. And Sony is going to offer a “Welcome Back” package but hasn’t announced the details.
Given the story thus far–Sony initially said that the PSN would be down for a day or two and then said that the restoration that’s only now happening would commence back in early May–I suspect that many PSN fans won’t assume anything until they see the network working for themselves. Even then, the enormity of the security breach means that this saga is far from over.
If you see the PSN working properly with your own eyeballs, let us know.
