Sony security hole exposes another 24.6 million accounts

Sony security hole exposes another 24.6 million accounts

Summary: Just when you thought things couldn't get any worse for Sony, the company admits to another security failure that exposed personal information on another 24.6 million user accounts.

SHARE:

Just when you thought things couldn't get any worse for Sony: Hours after shutting down access to its Sony Online Entertainment service, the company announced another security intrusion that exposed information on an additional 24.6 million accounts.

Sony says hackers infiltrated the Sony Online Entertainment (SOE) systems around the same time as the recent break-in to Sony's PlayStation Network (PSN). Data thieves made away with personal information from approximately 24.6 million SOE accounts, according to Sony.

An "outdated database from 2007" was also copied which included 12,700 credit card and debit card numbers and expiration dates from customers in Austria, Germany, Netherlands and Spain. Sony noted that credit card security codes were not included in that database.

SOE systems power Sony's multiplayer online games including EverQuest II, Free Realms and DC Universe Online. The service went down Monday morning in the United States with a maintenance message. Sony has since followed up with more details.

Over the weekend Sony executives held a press conference to discuss security problems with its PlayStation Network (PSN) and Qriocity media streaming service. Around April 18, data thieves broke into PSN and Qriocity's databases and made away with personal information on 77 million account holders, including, possibly, credit card information on about 10 million subscribers.

The company failed to acknowledge the data breach until almost a week after it shut down access to the PSN and Qriocity services, raising sharp criticism from PSN users, security analysts and others.

A contrite Kazuo Hirai and other Sony executives took the dais at the Sunday press conference to apologize to Sony users affected by the initial security failure, promising to make amends by offering free access to PlayStation Plus content and other benefits.

Similarly, Sony is promising to overhaul SOE's security procedures, and is offering some tepid enhancements to help encourage players to come back, once service has been restored.

This latest fiasco tips the total number of affected Sony user accounts to more than 100 million. While it looked like Sony had some hope of digging out from the initial PSN catastrophe intact, anyone who's ever given Sony a credit card must be looking askew at the company now.

Related:

Topics: Banking, Hardware, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • Hey Sony! A word of advise...

    Why don't you spend a little less time worrying about suing people trying to use linux on their ps3 (a feature that was advertised at launch), less time on DRM (games that can't even be played in single player without internet access), and more time SECURING YOUR FREACKING NETWORKS!??
    tchopard
    • Agreed!

      @tchopard
      Chuck131991@...
    • RE: Sony security hole exposes another 24.6 million accounts

      @tchopard
      That's Hacker's = 2 v Sony = 0.5 (give them 0.5 point for suing GH, HCM & SP). Might be time sue for peace before they go out of business.
      FWZHR
  • RE: Sony security hole exposes another 24.6 million accounts

    We've already had out of state purchases being made on our credit cards. The thieves don't waste time. What a bummer. Maybe it's better to enter credit card data every time you need to, rather than storing this data on an unsecured network server somewhere........Sure it's an inconvenience, but I'm willing. The next time Dominoes Pizza asks me for my 3 digit security code from the back of my credit card, I'm going to start screaming again.
    dailu@...
    • RE: Sony security hole exposes another 24.6 million accounts

      @dailu@... Bank of America and CitiBank offer disposable credit card numbers. BoA's is called ShopSafe. You can generate as many numbers as you need, set a credit limit for each one, and also an expiration date. You can even go online and kill any open ones. I use disposable numbers for all my online purchases. It seems much safer to me and it lets me have more control.
      bmgoodman
    • RE: Sony security hole exposes another 24.6 million accounts

      @dailu@...
      Ironically the security code was the only thing NOT stored in the database! ;)
      Sorry to hear about your predicament though.
      tchopard
  • Never trust Sony,

    Remember these are the same idiots that installed root kits on PCs when one of their music disks was played the pc.
    edomejn
    • RE: same idiots that installed root kits on PCs

      @edomejn

      <b>DON'T I remember that one!!!!!</b>

      All I can say is <i>Karma is a b----.</i> Right Sony?
      fatman65535
  • Could open source be the problem?

    So someone brought it up. The PS3 runs on a form of Linux. So is this the problem? I have thought that myself. Some have always said Linux is not immune its just been unpopular. Whatever the reason Sony really has a problem and its going to get worse with legal actions.
    jscott418-22447200638980614791982928182376
    • RE: Sony security hole exposes another 24.6 million accounts

      @jscott418 The PS3 client has nothing to do with this. Furthermore, the underlying OS usually has nothing to do with a company who refuses to implement a PCI-compliant security policy. All the secure OSes in the world can't make up for someone who refuses to take basic steps to secure credit card storage.
      snoop0x7b
    • RE: Could open source be the problem?

      @jscott418

      Are you standing in for <i>Loverock Davidson</i> today????

      Apparently, <b>you</b> cut the class on Computer Essentials 100, the pre-requisite for Security Essentials 101.

      Sony had <b>ITS SERVERS</b> hacked. Whether on not the Playstation would (or could) have been running Linux is immaterial.

      It is <b>SONY's</b> responsibility to secure data <u>on its servers</u>; and apparently, <b>it did not</b>.
      fatman65535
      • RE: Sony security hole exposes another 24.6 million accounts

        @fatman65535
        Amen! However there is no doubt that hack attempts on their servers and different platforms increased due to their attempts at controlling intellectual property and the lawsuits.
        The big dog companies have no regards for PCI compliance.
        I love the fact that they are talking about an 'outdated database from 2007'. What I just read was "a vulnerability known since 2007 was used to hack our unpatched database"...
        PS3: It only does Identity Theft!
        tchopard
  • RE: Sony security hole exposes another 24.6 million accounts

    All I can do is sit back and chuckle to myself, content in the knowledge that what goes around, comes around....
    tech_ed@...
  • I love the smell of lawyers in the morinig !

    The class action will go close to breaking them.
    Was there ever a company MORE out of touch with it's customers ?
    Let's hope someone useful gets the camera business.
    Clockwork Computer
  • sony

    While Sony may or may not be at fault, why is the gov't not asking...why are people so willing to give their personal information away to play video games? http://bit.ly/mCxtbF
    davidthomas5656
    • RE: Sony security hole exposes another 24.6 million accounts

      @davidthomas5656
      because they are too morron to send ID credit card to sony BIG COMPANY.....that's why always use 2 or more bank account
      ABC.1234.56789
  • RE: Sony security hole exposes another 24.6 million accounts

    @bmgoodman@... Agree!! I've been using CitiBank disposable credit card numbers for over 5 years. They are great, and as easy & fast to use as an actual card. They not only stop criminals, but errant businesses. Others need to use them too!
    slowgeezer
  • RE: Sony security hole exposes another 24.6 million accounts

    The playstation side of this issue scares me the most.

    Rich Cocovich
    Global Star Capital
    globalstarcapital.com
    RichCocovich
  • RE: Sony security hole exposes another 24.6 million accounts

    The playstaton side of this issue scares me the most. I have bought my son numerous items through their virtual store.

    Rich Cocovich
    Global Star Capital
    globalstarcapital.com
    RichCocovich
  • RE: Sony security hole exposes another 24.6 million accounts

    This can happen with ANY company that accepts credit cards for purchase and allows the storage of the credit card. This includes intermediaries like paypal who do nothing BUT financial transactions. Why Sony is worse:
    1) They have other blackmarks on their history (rootkits in dvds for example).
    2) They have a LOT of customers worldwide.
    3) They didn't initially admit to the full scope of the issue.
    4) They are already in the press busily suing people (probably an inspiring factor in them getting attacked)
    5) The blew it on multiple fronts. 3 separate card vaults compromised at the same company tells us that it wasn't just one issue, that they just might not know how to protect their customers.
    6) The final straw: They are STILL down, leaving their customers out of service and many people (like me) struggling to remember what, if any, credit card I MIGHT have had stored in my account. As a rule, I don't purchase sony online content, but I can't absolutely remember that I never have. And since it has been 2 weeks and I still cannot get into my account, all I can do is watch my credit card accounts online and wonder.
    I DO know that I used to have Everquest, Everquest II and Star Wars Galaxies accounts, but I let those accounts lapse years ago so probably there wasn't a valid account in them (and it looks like those breaches weren't in the USA customers).

    I'd feel the same way if this happened to my cellphone provider (AT&T). But I wouldn't feel this way if it happened with my gas company. Why? Because my gas company has not given me other reasons to mistrust them prior to handing out my personal info to the world.

    We give our personal information to the world all the time. This is the price of modern commerce. We just expect the companies we do business with not to be grossly careless with our information.

    We also expect not to be told that "a free month of a service" and a pat on the head is good enough to make up for it. At this point, it no longer matters to me whether I ever log onto any sony network again. Certainly if I ever do, it will be to remove any personal information and discontinue any accounts. Zero Faith.
    WoofboyX