Cube Posted May 2, 2011 Posted May 2, 2011 (edited) Reads to me like SOE stumbled across a security hole whilst investigating the PSN issue, thus have decided to deal with it now rather than wait for another attack. I wouldn't be surprised if Microsoft will be tightening up things on their end, too. Pretty much this. They're just patching up all their other systems. It's just a case of really bad journalism. Edited May 2, 2011 by Cube
LegoMan1031 Posted May 2, 2011 Posted May 2, 2011 I see the art of the leading headline is still alive and well. Reads to me like SOE stumbled across a security hole whilst investigating the PSN issue, thus have decided to deal with it now rather than wait for another attack. I wouldn't be surprised if Microsoft will be tightening up things on their end, too. Yeah, upon a proper reading i can see what your saying (silly me!). Sounds like we will get a proper story as to what it is all about later in a statement from them.
flameboy Posted May 2, 2011 Posted May 2, 2011 Still seems wierd because last week I remember them coming out and saying not to worry because SOE servers were safe and not victim to same intrusion so makes me think this is a seperate incident? Either way means customers who now don't have PSN accounts are being afffected by the widespread problem.
Cube Posted May 2, 2011 Posted May 2, 2011 Still seems wierd because last week I remember them coming out and saying not to worry because SOE servers were safe and not victim to same intrusion so makes me think this is a seperate incident? There has been no intrusion into the SOE servers. They've just been taken down for security upgrades.
LegoMan1031 Posted May 2, 2011 Posted May 2, 2011 Still seems wierd because last week I remember them coming out and saying not to worry because SOE servers were safe and not victim to same intrusion so makes me think this is a seperate incident? Either way means customers who now don't have PSN accounts are being afffected by the widespread problem. Like what Aimless and Cube said there may not even be a problem at all, as despite what the headline says, the actual message does not say any hacking has taken place. As we know they are reviewing all their security and there is every chance they could have just found something which could be exploded and have decided to take that network offline and improve it.
Cookyman Posted May 2, 2011 Posted May 2, 2011 (edited) From Joystiq Following up on this morning's news that Sony Online Entertainment servers were offline across the board, Japanese newspaper Nikkei reports (via BGR) that the company has lost 12,700 customer credit card numbers as the result of an attack. The company apparently took SOE servers offline after learning of the attack last evening, but has yet to issue a statement confirming that customer information has been lost. Of the 12,700 total, 4,300 are alleged to be from Japan, while the remainder's origins are unknown. The report also notes that most of the numbers are said to be from expired cards, which Engadget posits could mean this was simply stolen data from an old backup. The report doesn't mention whether last night's supposed breach is connected to the recent incidents involving Sony's PlayStation Network and Qriocity services, though an SOE representative told Joystiq that official comment would be coming from the company "within the hour." From Sony Online Entertainment As previously announced, we have been conducting an ongoing, thorough investigation stemming from the cyber attack in April and promised to notify you should there be any changes to the situation. We issued a press release today outlining these details. We will promptly send a customer service notification via email to all of our impacted account holders whose customer data may have been stolen as a result of an illegal intrusion on our systems. This information was discovered less than 24 hours ago and in response, we took down our services until we could verify their security. SOE is committed to delivering secure, stable and entertaining games for players of all ages and we're working around the clock to ensure this situation is resolved as quickly as possible. We deeply regret the inconvenience this has caused and appreciate your continued patience and feedback. Sincerely, Sony Online Entertainment -------------------------------------------------------------------------------- Customer Service Notification May 2, 2011 Dear Valued Sony Online Entertainment Customer: Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password. Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained - we will be notifying each of those customers promptly. There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment. We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible. We apologize for the inconvenience caused by the attack and as a result, we have: 1) Temporarily turned off all SOE game services; 2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and 3) Quickly taken steps to enhance security and strengthen our network infrastructure to provide you with greater protection of your personal information. We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable. For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When SOE's services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your Station or SOE game account name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it: U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit http://www.annualcreditreport.com or call toll-free (877) 322-8228. We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a "fraud alert" on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below. Experian: 888-397-3742; http://www.experian.com; P.O. Box 9532, Allen, TX 75013 Equifax: 800-525-6285; http://www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241 TransUnion: 800-680-7289; http://www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790 You may wish to visit the web site of the U.S. Federal Trade Commission at http://www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or http://www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or http://www.oag.state.md.us. We are committed to helping our customers protect their personal data and we will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in regions in which such programs are commonly utilized. We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1 (866) 436-6698 should you have any additional questions. Sincerely, Sony Online Entertainment LLC Edited May 2, 2011 by Cookyman
flameboy Posted May 2, 2011 Posted May 2, 2011 So SOE was hacked? Like said the wording of intrusions etc...was worrying simpler to those about PSN... Wonder how long it will be before thats back up and running? This is gonna rumble on for a lot lot longer I feel.
Cube Posted May 2, 2011 Posted May 2, 2011 That certainly is very different from the initial statement. Although in a strange way it makes me more confident about the PSN's credit card situation.
Dyson Posted May 2, 2011 Posted May 2, 2011 Well that's me affected then. I knew I'd regret that Planetside subscription. (Not a chance, best game ever).
Ellmeister Posted May 3, 2011 Posted May 3, 2011 Apparently even Everquest has been affected. Oh dear Sony it just keeps getting worse:shakehead
flameboy Posted May 3, 2011 Posted May 3, 2011 oh crap I have an everquest account attached to a different email to PSN looks like thats another password to probably go and change.
Shorty Posted May 3, 2011 Posted May 3, 2011 Changing your password? What's the point in that? They already have your details. They're not trying to get your Everquest alts. Change your credit card number.
Ryan Posted May 3, 2011 Posted May 3, 2011 http://www.gamesindustry.biz/articles/2011-05-03-24-6-million-soe-accounts-potentially-compromised Update: Only 900 cards still active
flameboy Posted May 3, 2011 Posted May 3, 2011 Changing your password? What's the point in that? They already have your details. They're not trying to get your Everquest alts. Change your credit card number. for the future....whats the point in adding a new credit card number later down the line to an account that someone else has the password to? I know its rare to have you card details displayed to actually read but still...just like they've advised if you use the same password for anything else then you should change it.
Happenstance Posted May 4, 2011 Posted May 4, 2011 Sony implicates 'Anonymous' in response to Congress The data breach of Sony, including PlayStation Network and more recently-discovered Sony Online Entertainment, attracted the attention of Congress. Sony decided not to appear personally at a data theft hearing, but Kaz Hirai has given the company's official response, which implicates the hacker group Anonymous for the attacks. In a letter to the US House of Representatives Subcommittee on Commerce, Manufacturing, and Trade (summarized on the PlayStation Blog), Hirai explains that the hackers left a calling card. "When Sony Online Entertainment discovered this past Sunday that data from its servers had been stolen, it discovered that the intruders had planted a file on one of those servers named 'Anonymous' with the words 'We are Legion'," Hirai explained. Though the the SOE theft was discovered later than the PSN attack, it took place at the same time by exploiting shared infrastructure. Sony emphasized that it hadn't suffered a second attack, but rather that SOE's intrusion took longer to detect. That means that if Anonymous is responsible for the SOE attack, it's responsible for PSN as well. For its part, Anonymous has denied involvement in the attacks, but even in that denial admitted that "other Anons" may have "acted by themselves." When the group apologized for inconveniencing users with denial-of-service attacks, a statement pointed out, "different operations are 'run' by different people." The group noted that it is "comprised of people with diverse points of view, of which not all coincide with one another." Hirai also gave three reasons why it may have taken Sony so long to detect the problem: the sophistication of the attack, an unknown system vulnerability, and the fact that Sony was focusing on the denial of service attacks. "Whether those who participated in the denial of service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know," he said. "In any case, those who participated in the denial of service attacks should understand that - whether they knew it or not - they were aiding in a very well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony's many customers around the world." The letter also says Sony shut down networks "as soon as threats were detected," but reveals that they noticed off-schedule system reboots due to "unauthorized activity" taking place on 4/19 -- a full day before the PSN shutdown on 4/20, and two weeks before Monday's SOE shutdown. The House letter to Hirai became part of a data theft hearing, planned before the Sony attacks, that is currently underway. You can watch it live on C-SPAN. http://www.shacknews.com/article/68328/sony-implicates-anonymous-in-response
ReZourceman Posted May 4, 2011 Posted May 4, 2011 when is n00b pwning faciliatator back online guize?
Pit-Jr Posted May 4, 2011 Posted May 4, 2011 One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,†they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. Thats somewhat comforting. They probably should have mentioned that earlier
Ike Posted May 4, 2011 Posted May 4, 2011 It's fine as long as you didn't use weak, obvious passwords. Like password.
ReZourceman Posted May 4, 2011 Posted May 4, 2011 (edited) It's fine as long as you didn't use weak, obvious passwords. Like password. Nothing to see here. Edited May 4, 2011 by ReZourceman
Ike Posted May 4, 2011 Posted May 4, 2011 (edited) But...like....***** would be....okay, right? Only slightly And especially not when you post your password on the Internet :P Edited May 4, 2011 by Ike Not sure if that was a real password >.>
Cube Posted May 4, 2011 Posted May 4, 2011 Find a completely random word and put some numbers in. Like "art1ch0ke".
flameboy Posted May 4, 2011 Posted May 4, 2011 Find a completely random word and put some numbers in. Like "art1ch0ke". don't encourage him lol!
Choze Posted May 4, 2011 Posted May 4, 2011 US blog: http://blog.us.playstation.com/2011/05/04/sonys-response-to-the-u-s-house-of-representatives/ Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack. We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous†with the words “We are Legion.â€
Recommended Posts