2014 Paris Motor Show highlights

PlayStation Network hacked, personal information of 77 million accounts accessed

By

April 27, 2011

PlayStation Network

PlayStation Network

PlayStation 3 owners in the audience will likely have noticed an inability to connect to the PlayStation Network (PSN) over the past week, though Sony today made an announcement revealing that things are much worse than a week without access to online multiplayer gaming. At some stage between the 17th and 19th of April, a hacker gained access to Sony's systems. Sony believes the hacker was able to retrieve the personal information of 77 million PSN accounts, and say it is possible that credit card details were also retrieved.

Before we delve further into the story, I want to highlight one important lesson I hope everyone learns from this incident: you should not use the same password for multiple online services. If you have a PSN account with the same password as other services, I hope you've already stopped reading and started changing your passwords.

Sony made the announcement on the 26th – a full week after learning of the intrusion – though it is plausible it took the external forensic team this long to determine the personal information had been retrieved, given the Easter break.

A post over at Reddit by a member of the PS3 hacking scene highlights a series of recent hacking milestones, and presents a theory that Sony turned off the PSN to prevent users of custom firmware (CFW) from using a recently discovered method of pirating PSN content. While this is likely not the case given Sony's admission of the leaked personal information, it's still worth noting the claim that CFW users (the first of which was released in January this year) have had access to the Sony developer network "the whole time", and that the developer network inherently trusted all connected clients – a massive no-no in client/server architecture and most certainly a potential attack vector.

Marsh Ray has blogged a theoretical worst-case scenario, where hackers manage to fool some percentage of the 50 million PS3 owners out there into installing a firmware that grants back-door access to the PS3. The resultant botnet could be used to eat modern cryptography for breakfast or, far more plausibly, distributed denial-of-service attacks.

Hacktivist group Anonymous has denied responsibility for the attack, which raises the important question as to who has motive. Is this retribution against Sony for the prosecution of PS3 hackers fail0verflow and George Hotz? or is it an organized crime group who can capitalize on the biographical information of 77 million people?

We suspect there will be more questions than answers for a long time, if not forever. In the meantime, we suggest disconnecting your PS3 from your network and keeping a close eye on your credit card statements.

About the Author
Tim Hanlon Tim originally came to Gizmag as a developer, much to the dismay of anyone who had to maintain, build on, or rewrite his code. After wearing every other hat that didn't have a head for it, he became CEO in 2010. Outside Gizmag, he trains Muay Thai and plays too much Destiny.   All articles by Tim Hanlon
8 Comments

All these online services should be running two servers: one connected to the internet which keeps no records, the other one isolated from the internet that keeps all the records; and the only way to access information is via an internal communication link between the two. That is the only way to keep hackers from hacking into the information server and doing mass-downloads like this.

Grunchy
27th April, 2011 @ 09:04 am PDT

Inexcusable.

Sherwin Kahn
27th April, 2011 @ 09:06 am PDT

Just went to cancel my debit card and get a re-issue with Santander...I was told not to bother really, they had been informed of the breach. Santander told me it was only credit card details and the information was only the expiry date...

Ianspeed
27th April, 2011 @ 09:50 am PDT

I find it questionable that there are 77 million users on the PSN network. They have only sold ~ 50 million units of the PS3. I don't think they've sold 27 million PSPs. Even if you guaranteed every single person put their personal info onto on the PSN that bought a system is not realistic.

bdsterne
27th April, 2011 @ 11:22 am PDT

They forgot to mention that its not just PSN but also their Quriosity network for streaming content to Sony media devices like Blu Ray players and TVs.

Mack McDowell
27th April, 2011 @ 06:37 pm PDT

I have reason to believe the same has happened to the "Tagged" network.

Have no access to my own account there, but no financial info from me there, neither personal info, except name, adress and age.

Tagged has been unable to get me access, but I can visit, like everyone else, my own account, but not read and answer my mail. This problem occured for approx. a month.

Tagged has not been able to solve it. (give me access to own account)

Knut Sulen
27th April, 2011 @ 10:33 pm PDT

bdsterne, you're forgetting duplicate accounts. As in the amount of people with more than one account on a single playstation, from sharing with mates and family to wanting a different gamer name.

Mark Penver
28th April, 2011 @ 04:25 am PDT

THERE GOING TO GET CAUGHT,THAT'S COOL

Robert Charles Hestand
11th June, 2011 @ 11:57 am PDT
Post a Comment

Login with your gizmag account:

Or Login with Facebook:


Related Articles
Looking for something? Search our 28,963 articles