SOE: User Data and Credit Card Information Compromised, Services Taken Down

May 2, 2011 -

As promised, Sony Online Entertainment has updated its official site to let customers know why it took down its services earlier today. To say it isn't good news for customers is a major understatement. According to the update, SOE took its game services down because of an intrusion that saw much of the same personal data and credit card info compromised by outside sources - similar to what happened on PlayStation Network. SOE says that personal info related to SOE accounts "may have been stolen" in a cyber attack.

This data includes "name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password." In addition, information from an outdated database from 2007 was compromised during the attack. This database contained approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of some customers in Germany, Austria, Netherlands and Spain may have also been obtained.

 

SOE says that there is no evidence that its main credit card database - a separate service, they say - was compromised. Some are reporting that this was a second separate attack independent of the original attack on PSN.

"We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible," the statement read.

To deal with the situation SOE has taken all game services offline, have engaged an outside security firm, and have taken steps to secure all of its games and services.

The usual advice that Sony offered to PlayStation Network users has been recycled for the SOE security breach. The best thing that SOE users can do is contact their bank or credit card company and cancel their cards.

We will have more on this story as it develops.

Source: SOE.com


Comments

Re: SOE: User Data and Credit Card Information Compromised, ...

(EDIT: New post instead of reply, ack.  Would be nice if you guys fixed the backend so that clicking on Reply and then logging in didn't dump you to a new post box...)

Re: SOE: User Data and Credit Card Information Compromised, ...

Holy crap man. I'm having trouble conceiving any way sony could be more screwed. I suppose if Skynet infiltrated folding @ home.

-Austin from Oregon

Feel free to check out my blog.

Re: SOE: User Data and Credit Card Information Compromised, ...

Hashed password...what exactly does that mean? i've heard that before, something about hashed passwords being useless to anyone who steals them? 

Re: SOE: User Data and Credit Card Information Compromised, ...

It's something crypogtaphic I hear, scrambles it enough to make it completely useless. Maybe it replaces it with boxes like it does when text can't be translated.

Re: SOE: User Data and Credit Card Information Compromised, ...

Passwords are stored, typically, in the form of a hash.

Hashing is an algorithmic function which converts an input of a variable length (in this case, your password) to an output of fixed length.

 

For example, "The quick brown fox jumps over the lazy dog" hashes into "2FD4E1C67A2D28FCED849EE1BB76E7391B93EB12". (Note that it would be that length, whether it was a ten-megabyte text file or your name being hashed; that's what "variable length into fixed length" means)

 

The key to a hash function is that it's a "trapdoor" function. It's relatively trivial for a computer to get the hash from the input, but it is insanely difficult to get the input from the hash, which is why passwords are stored that way in the first place. (You enter password, computer hashes password, hash matches stored hash, password accepted) To break a hashed password, the hacker basically has to use a program to guess passwords, then compare them to the hashes.

 

What this means is, anyone using a secure password (something fairly long, not composed of common words, etc; not giving a password security lecture here) is potentially fine but should change that password if they use it for anything else (which they shouldn't be doing anyway, because not reusing passwords is part of having a secure password). If you have a crappy password (something found in a dictionary especially), and you had a PSN or SOE account, and you used that password in anything else, change it now. I mean it. Stop reading and go change it, on everything it's used in. Best to assume it's broken.

 

Statistically, a lot of those passwords are going to be insecure. Breaking a truly secure password is a daunting task that might take days, weeks, or months of constant, dedicated processing by a fairly powerful computer; it has to make a guess, hash that, compare it to the stored hash, and then make another guess. Not feasible. Breaking a really insecure password is actually fairly trivial, because anyone actually trying to harvest passwords is going to have dictionaries of commonly-used words and derivations of words.

 

Comparing twenty thousand password guesses to a decent password is, statistically, not going to work. You have to go through literally millions or billions of possible guesses. Comparing a handful of really common passwords to a database of twenty thousand random people, however, is probably going to give you a few hits.

Re: SOE: User Data and Credit Card Information Compromised, ...

So morale of the story is if they did use this method, chances are that while everyone SHOULD change their password, the chances of the hackers having it in any usable form (barring shit passwords) are pretty low.

Good to know. 

Re: SOE: User Data and Credit Card Information Compromised, ...

Pretty much.

In general hashed password lists are only good for asking 'is this the password?', but poor for finding out what the password is.  Any (standard) modern system is likely to be difficult enough to break as to be useless to them because it comes down to raw math... as long as they did not try to implement their own algorithm it comes down to brute forcing it.

Re: SOE: User Data and Credit Card Information Compromised, ...

Makes me glad I made absolute sure my PSN account password was unique to that account.

Re: SOE: User Data and Credit Card Information Compromised, ...

Good man.

 

I don't claim, by the way, to understand fully the implementation of hashing methods into a security system. I know the basics via coursework but I haven't studied higher-level implementation concepts yet.

Re: SOE: User Data and Credit Card Information Compromised, ...

You forgot one important fact:

A hash ease of reverse engineering is inversely proportional to the collision risk of said hash algorithm. For example, if you store a hash of 10 characters for passwords that range from 1 to 9 characters, you can have an algorithm that has 0 chance of collision (every possible hash is unique), however, this makes reverse-engineering the hash that much more easy. However, if you have a 10 characters long hash for password ranging in length from 4 to 20 characters, there is no way for you to find an algorithm that will not create collision. Still, it will make it that much harder to reverse-engineer the hashes since each hash has multiple possible source.

The way hashes work is usually they will add a known salt to the password (a key of sort) and then pass it through one of a multiple of algorithm. Btw, the more algorithm, the LESS secure the password hashing ends up (anything passed to the function will end up with the same hash and thus will be verified. On the + side, go try and reverse-engineer that :P ) the same way using a random number to seed the next number of the same random number generator will quickly destroy any randomness in the system.

Anyway, what would be important to know here is which security they were the most worried about: Their network (big hash, low collision, higher risk of reverse engineering if you steal the data, but obviously they didn't think about that) or an average user (smaller hash, higher collision, the reverse engineering is less likely but the user could have false positive with wrong passwords on their network). I'd normally wager the first, but considering how little of an understanding Sony seems to have had of security in general, I'd say it's anybody's guess.

Re: SOE: User Data and Credit Card Information Compromised, ...

Giving this is the second attack on Sony in two weeks, someone has it out for them.

Re: SOE: User Data and Credit Card Information Compromised, ...

It's almost certainly the same people in a second targeted attack, but as for "having it in for them" -- well, it COULD be somebody cheesed off at the Hotz settlement, but really you don't need an ulterior motive to break into a major company's servers and steal its customer data; the credit card/ID theft potential is an end in and of itself.  Every single Fortune 500 company is a potential target for this kind of attack, regardless of company politics or recent PR situation.

Again, it's possible this was done by a group (it IS most likely a group and not an individual) that has a grudge against Sony, but it could just be that they were looking for a major company with a vulnerable network and Sony was the one they found.

Re: SOE: User Data and Credit Card Information Compromised, ...

Or at the least saw whath append with PSN and figured other Sony networks could be broken into using similar methods.

Re: SOE: User Data and Credit Card Information Compromised, ...

Or the two networks are connected, and they are only now discovering that the breech crossed both systems.

Re: SOE: User Data and Credit Card Information Compromised, ...

If so that only adds to how angry I am this morning as I was hoping t odownload any updates and finally be able to be online again.

 
Forgot your password?
Username :
Password :

Shout box

You're not permitted to post shouts.
ZippyDSMleeuuuhhhggg in other news been sick since last night.....uuhggg.....I iwsh it did not hurt so much when my tummy wants to leave my body..02/28/2015 - 11:39pm
ZippyDSMleeBrings me to the Q why alt costumes would be needed in competition anyway... http://www.eventhubs.com/news/2015/feb/28/dead-or-alive-community-aims-ban-over-120-overly-sexualized-costumes-dead-or-alive-5-last-round/02/28/2015 - 11:36pm
MonteThough from a business side, i would agree with the article. While it would be smarter for developers to slow down, you can't expect EA, Activision or ubisoft to do something like that. Nintnedo's gotta get the third party back.02/28/2015 - 4:36pm
MonteThough it does also help that nintendo's more colorful style is a lot less reliant on graphics than more realistic games. Wind Waker is over 10 years old and still looks good for its age.02/28/2015 - 4:33pm
MonteWith the Wii, nintnedo had the right idea. Hold back on shiny graphics and focus on the gameplay experience. Unfortunatly everyone else keeps pushing for newer graphics and it matters less and less each generation. I can barely notice the difference02/28/2015 - 4:29pm
MonteON third party developers; i kinda think they should slow down to nintendo's pace. They bemoan the rising costs of AAA gaming, but then constantly push for the best graphics which is makes up a lot of those costs. Be easier to afford if they held back02/28/2015 - 4:27pm
Matthew Wilsonhttp://www.forbes.com/sites/insertcoin/2015/02/28/the-world-is-nintendos-if-only-theyd-take-it/ I think this is a interesting op-ed, but yeah it kind of is stating the obvious.02/28/2015 - 2:52pm
prh99The government probably doesn't need an app, but I was think more along the lines of a company that was going to sell the collected info. “If you're not paying for the product, you are the product” sometimes even if you pay.02/28/2015 - 1:50pm
E. Zachary KnightWhat better way for the government to keep track of you than to get you to install an app that lets you insult the government.02/28/2015 - 11:03am
prh99No, but I looked it up and it's basically spyware. Their privacy policy says their apps tracks among other things your location and browsing habits via cookies.02/28/2015 - 8:20am
Ryan RardinHas anyone here heard of an app called iCitizen? It's basically Yelp for politicians.02/28/2015 - 5:16am
Andrew EisenAh, not linked in the way you (and everyone else) want and expect. That's true.02/27/2015 - 10:06pm
Matthew Wilsonthey are not linked in a way that tracks purchases though. the fact that they have to send a code for the other system shows that they are not linked in the way it counts.02/27/2015 - 9:39pm
Andrew EisenAccounts are already linked. Have been for quite a while. Also, Mario vs. Donkey Kong was announced as a cross-buy title during last January's Nintendo Direct.02/27/2015 - 9:25pm
Matthew Wilsonhttp://www.vg247.com/20…/…/27/olli-olli-3ds-wii-u-cross-buy/ I wounder if this is a sign that Nintendo may finally link accounts across the 3ds/wiiu in the near future.02/27/2015 - 9:18pm
prh99http://www.romanoriginals.co.uk/invt/70931?colour=Blue The dress does comes in white and blue but both have black lace and a sheer back top, I don't see gold or brown. 02/27/2015 - 8:54pm
ZippyDSMleeDungeons was a so bad so good game to me so I been keeping up with its sequel which will more of a Dungeon Keeper clone. As for pre order out of 7 preorders I was not burnt by 2... Add my contempt of most of modern game design.Ya I have all kinds of hurt.02/27/2015 - 8:40pm
MechaTama31I don't even want to know...02/27/2015 - 8:22pm
ZippyDSMleeFun? I can do fun…. I think LOL. Dungeons 2 is on preorder but not via steam... >> Hell I am breaking all kinds of personal butthurt rules to even THINK about pre order...02/27/2015 - 8:12pm
E. Zachary KnightHad some fun discussions about that dumb dress on Facebook. I opened the original picture in GIMP and sampled the colors and determined them to be Blue and Gold. People still say I am wrong.02/27/2015 - 7:41pm
 

Be Heard - Contact Your Politician