Jump to content
N-Europe

Recommended Posts

Posted (edited)
Reads to me like SOE stumbled across a security hole whilst investigating the PSN issue, thus have decided to deal with it now rather than wait for another attack. I wouldn't be surprised if Microsoft will be tightening up things on their end, too.

 

Pretty much this. They're just patching up all their other systems. It's just a case of really bad journalism.

Edited by Cube
  • Replies 14.8k
  • Created
  • Last Reply

Top Posters In This Topic

  • Daft

    1798

  • flameboy

    1499

  • dwarf

    1450

  • Choze

    925

Top Posters In This Topic

Posted
I see the art of the leading headline is still alive and well.

 

Reads to me like SOE stumbled across a security hole whilst investigating the PSN issue, thus have decided to deal with it now rather than wait for another attack. I wouldn't be surprised if Microsoft will be tightening up things on their end, too.

 

Yeah, upon a proper reading i can see what your saying (silly me!).

 

Sounds like we will get a proper story as to what it is all about later in a statement from them.

Posted

Still seems wierd because last week I remember them coming out and saying not to worry because SOE servers were safe and not victim to same intrusion so makes me think this is a seperate incident? Either way means customers who now don't have PSN accounts are being afffected by the widespread problem.

Posted
Still seems wierd because last week I remember them coming out and saying not to worry because SOE servers were safe and not victim to same intrusion so makes me think this is a seperate incident?

 

There has been no intrusion into the SOE servers. They've just been taken down for security upgrades.

Posted
Still seems wierd because last week I remember them coming out and saying not to worry because SOE servers were safe and not victim to same intrusion so makes me think this is a seperate incident? Either way means customers who now don't have PSN accounts are being afffected by the widespread problem.

 

Like what Aimless and Cube said there may not even be a problem at all, as despite what the headline says, the actual message does not say any hacking has taken place.

 

As we know they are reviewing all their security and there is every chance they could have just found something which could be exploded and have decided to take that network offline and improve it.

Posted (edited)

From Joystiq

 

Following up on this morning's news that Sony Online Entertainment servers were offline across the board, Japanese newspaper Nikkei reports (via BGR) that the company has lost 12,700 customer credit card numbers as the result of an attack. The company apparently took SOE servers offline after learning of the attack last evening, but has yet to issue a statement confirming that customer information has been lost.

 

Of the 12,700 total, 4,300 are alleged to be from Japan, while the remainder's origins are unknown. The report also notes that most of the numbers are said to be from expired cards, which Engadget posits could mean this was simply stolen data from an old backup.

 

The report doesn't mention whether last night's supposed breach is connected to the recent incidents involving Sony's PlayStation Network and Qriocity services, though an SOE representative told Joystiq that official comment would be coming from the company "within the hour."

 

 

From Sony Online Entertainment

 

As previously announced, we have been conducting an ongoing, thorough investigation stemming from the cyber attack in April and promised to notify you should there be any changes to the situation.

 

We issued a press release today outlining these details. We will promptly send a customer service notification via email to all of our impacted account holders whose customer data may have been stolen as a result of an illegal intrusion on our systems. This information was discovered less than 24 hours ago and in response, we took down our services until we could verify their security.

 

SOE is committed to delivering secure, stable and entertaining games for players of all ages and we're working around the clock to ensure this situation is resolved as quickly as possible. We deeply regret the inconvenience this has caused and appreciate your continued patience and feedback.

 

Sincerely,

Sony Online Entertainment

 

 

--------------------------------------------------------------------------------

Customer Service Notification

May 2, 2011

 

Dear Valued Sony Online Entertainment Customer:

Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.

 

Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained - we will be notifying each of those customers promptly.

 

There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.

 

We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.

 

We apologize for the inconvenience caused by the attack and as a result, we have:

 

1) Temporarily turned off all SOE game services;

 

2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and

 

3) Quickly taken steps to enhance security and strengthen our network infrastructure to provide you with greater protection of your personal information.

 

We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

 

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When SOE's services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your Station or SOE game account name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

 

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

 

U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit http://www.annualcreditreport.com or call toll-free (877) 322-8228.

 

We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a "fraud alert" on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.

 

Experian: 888-397-3742; http://www.experian.com; P.O. Box 9532, Allen, TX 75013

Equifax: 800-525-6285; http://www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

TransUnion: 800-680-7289; http://www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

 

You may wish to visit the web site of the U.S. Federal Trade Commission at http://www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or http://www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or http://www.oag.state.md.us.

 

We are committed to helping our customers protect their personal data and we will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in regions in which such programs are commonly utilized.

 

We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1 (866) 436-6698 should you have any additional questions.

 

Sincerely,

 

Sony Online Entertainment LLC

Edited by Cookyman
Posted

So SOE was hacked? Like said the wording of intrusions etc...was worrying simpler to those about PSN... Wonder how long it will be before thats back up and running? This is gonna rumble on for a lot lot longer I feel.

Posted

That certainly is very different from the initial statement. Although in a strange way it makes me more confident about the PSN's credit card situation.

Posted

Changing your password? What's the point in that? They already have your details. They're not trying to get your Everquest alts. Change your credit card number.

Posted
Changing your password? What's the point in that? They already have your details. They're not trying to get your Everquest alts. Change your credit card number.

 

for the future....whats the point in adding a new credit card number later down the line to an account that someone else has the password to? I know its rare to have you card details displayed to actually read but still...just like they've advised if you use the same password for anything else then you should change it.

Posted

Sony implicates 'Anonymous' in response to Congress

 

The data breach of Sony, including PlayStation Network and more recently-discovered Sony Online Entertainment, attracted the attention of Congress. Sony decided not to appear personally at a data theft hearing, but Kaz Hirai has given the company's official response, which implicates the hacker group Anonymous for the attacks.

 

In a letter to the US House of Representatives Subcommittee on Commerce, Manufacturing, and Trade (summarized on the PlayStation Blog), Hirai explains that the hackers left a calling card. "When Sony Online Entertainment discovered this past Sunday that data from its servers had been stolen, it discovered that the intruders had planted a file on one of those servers named 'Anonymous' with the words 'We are Legion'," Hirai explained.

 

Though the the SOE theft was discovered later than the PSN attack, it took place at the same time by exploiting shared infrastructure. Sony emphasized that it hadn't suffered a second attack, but rather that SOE's intrusion took longer to detect. That means that if Anonymous is responsible for the SOE attack, it's responsible for PSN as well.

 

For its part, Anonymous has denied involvement in the attacks, but even in that denial admitted that "other Anons" may have "acted by themselves." When the group apologized for inconveniencing users with denial-of-service attacks, a statement pointed out, "different operations are 'run' by different people." The group noted that it is "comprised of people with diverse points of view, of which not all coincide with one another."

 

Hirai also gave three reasons why it may have taken Sony so long to detect the problem: the sophistication of the attack, an unknown system vulnerability, and the fact that Sony was focusing on the denial of service attacks. "Whether those who participated in the denial of service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know," he said. "In any case, those who participated in the denial of service attacks should understand that - whether they knew it or not - they were aiding in a very well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony's many customers around the world."

 

The letter also says Sony shut down networks "as soon as threats were detected," but reveals that they noticed off-schedule system reboots due to "unauthorized activity" taking place on 4/19 -- a full day before the PSN shutdown on 4/20, and two weeks before Monday's SOE shutdown.

 

The House letter to Hirai became part of a data theft hearing, planned before the Sony attacks, that is currently underway. You can watch it live on C-SPAN.

 

http://www.shacknews.com/article/68328/sony-implicates-anonymous-in-response

Posted
One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,†they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form.

 

Thats somewhat comforting. They probably should have mentioned that earlier

Posted (edited)

 

But...like....***** would be....okay, right?

 

Only slightly :heh:

 

And especially not when you post your password on the Internet :P

Edited by Ike
Not sure if that was a real password >.>

×
×
  • Create New...