Latest from Sony - PSN and Qiriocity account-info-fiddling confirmed

26 April 2011

PS3 Here's the latest from Sony regarding the PSN/Qiriocity personal security intrusion debacle. They're not admitting that credit card details have been taken but it looks like everything else might have so, erm, um, yeah.

There's still no indication as to when the services will be restored but Sony are 'as upset as you are' so sleep tight with that knowledge...

Valued PlayStation Network/Qriocity Customer,

We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

1) Temporarily turned off PlayStation Network and Qriocity services;

2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and

3) Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports.

We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please check should you have any additional questions.


Sony Network Entertainment and Sony Computer Entertainment Teams
Sony Network Entertainment Europe Limited (formerly known as PlayStation Network Europe Limited) is a subsidiary of Sony Computer Entertainment Europe Limited the data controller for PlayStation Network/Qriocity personal data.

TOPICS:   Technology


  • Paul C.
    Fuck. I don't blame Sony - they're guilty of being naive enough not to make their infrastructure strong enough for a database that serves over 70 million but .... It's the hackers. Malicious hacking is a cunt of a thing to do and I'm all for hanging those cunts. They bring misery to loads.
  • greg
    whats the odds on a nice little apology from sony in the sense of a free mini or downloadable game? it's a pretty major fuck-up
  • tin
    What's wrong with these friggin idiots? Can't they code a simple frontend-backend API that keeps these kind of details out of reach of even compromised front ends? Even I can do that and I'm utterly shit at coding. Outside, recognized security firm? Fucks sake.... Sony haven't seen fit to tell me yet. Maybe they stole my details and now Sony doesn't have them anymore.
  • Steve O.
    You can think burglars are complete arseholes (I do), but if you leave the front door wide open then you're a complete tit too. Just cos hackers are naughty people doesn't absolve Sony from blame.
  • klingelton
    i think i will be ordering a new card.
  • Dave B.
    oh great ! gonna have to cancel my credit card and take out I.D. fraud protection !! now gonna cost me money .. thanks Sony !
  • The B.
    Well, at the risk of sounding smug, that's precisely why I've never allowed companies to hold my card details on their accounts (I'm specifically looking at PSN/iTunes, who try to force you to give details when opening an account).
  • ole
    Has anyone actually been contacted directly from Sony? I use the PSN, but they aint been in touch to tell me that i will be sent a fuckton of junk mail and spam....
  • phil
    Well I'm glad almost all my details are fake, dont even have a real email address linked to it. Only problem is the debit card details...
  • Steve
    See what happens when you remove the "Other OS" feature, Sony? ...Snigger...
  • klingelton
    "…Snigger…" Racist.
  • Daniel
    +1 @ Tin Also, how on earth can you steal passwords?! Surely they're hashed...
  • PokeHerPete
    Hi, I have an Xbox.
  • Bod
    No need to use CC for Itunes.... done it myself, ok, you can buy anything.....
  • Sawyer
    An unfortunate side-effect of Sony taking PSN offline is that I can't log on to find out which credit card, if any, is associated with the account and therefore potentially compromised. I'm just glad Sony alerted me to this via email... oh wait, they didn't.
  • Azreal
    The passwords would have been secured, however encrypted files are the first thing hackers would go after and a determined hacker will break the encryption on the files and be able to view them, before you start spouting your crap about clear text, perhaps you should know a thing or two about how information is stored. A determined hacker will get in in the end and will always be-line for encrypted data as that will be the most valuable data to sell on once they break the encryption on their end. Think before you speak next time
  • Chris
    @Azreal In general, you don't encrypt passwords stored in a database, you hash them. You can't "unhash" data in the way that you can "unencrypt" it. This means that there is no secret key to reveal the passwords. You simply have to brute force each of them one at a time. If the passwords are also salted before they are hashed then it would take years and years to discover a significant number of passwords.
  • LanceVance
    Mmmmmmm......salted passwords......
  • klingelton
    i was quite upset at how easy it is to unhash md5 encrypted passwords...
  • Chris
    @klingelton Can you explain a little more about unhashing md5 please? If you are referring to trying out millions of random passwords and matching it to the hashed value, then that is not "unhashing" the password. That is just an idiot user who can't pick a strong enough password or an idiot developer who doesn't bother to salt the passwords before they are hashed.
  • Daniel
    @Chris - Cheers for explaining that to him @Azreal - Think before you speak next time
  • Daniel
    @Chris - Also, in reply to what Klingelton said, he may be referring to attacking using a Rainbow table. I don't know too much about that but I think certain forms of hashes are susceptible to attack... Not sure which though...
  • klingelton
    check out this webshite for md5 decrypting.
  • Chris
    Not that I particularly want to keep going about this, but that is not md5 decryption. That website has a database of 1.5 million words and the corresponding md5 hashes. This sort of thing is a rainbow table, as Daniel mentioned. As I have already said, a salted password is less susceptible to a rainbow table attack as the attacker has to generate a new rainbow table just for that specific database. Any database that is susceptible to this type of attack has been created by either a lazy or incompetent developer.
  • Daniel
    Just read a Sony blog suggesting the passwords were hashed which is nice to know... I just hope they used a decent hashing algorithm...
  • skinny b.
    Now that HLS has been bought in to help catch the hackers, how long before we hear "It was Mr.Terry Wrist hacking our free dumbs and informations. The only way we can beat them is to install microchips into each and every one of you useless eaters"

What do you think?

Connect with Facebook, Twitter, or just enter your email to sign in and comment.

Your comment