Editor's note: The headline was changed from "PlayStation Network down, again" to "PlayStation Network 'exploit' discovered" and some changes have been made to the body copy to more accurate reflect the issue.
In what can only be described as a complete debacle, Sony has pulled access to its PlayStation Network password page after yet another security exploit has been discovered. It's the latest embarrassment to the company, which has experienced more than its share of shameful moments in recent weeks.
Sony took the PSN password changing system down for "maintenance" after the Web site Nylevia offered details of how PlayStation Network accounts could still be compromised, even after Sony recently restored service with improved security.
According to Nylevia, a hacker could take over a PlayStation Network account by knowing the user's account name and date of birth - two pieces of information stolen by data thieves in the April break-in.
Nylevia has confirmed the hack works, and has notified Sony of the problem. Sony has responded by taking the Web page for PlayStation Network passwords offline - users attempting to visit the site are getting a "maintenance notice." (Editor's note: Please see the update at the end of this editorial for Sony's statement on the issue.)
In April Sony blacked out PSN, its Qriocity streaming music service and Sony Online Entertainment (SOE) services after the company discovered that a hacker or hackers broke in to the systems and made off with personal information on more than 100 million user accounts, including names, addresses and passwords. A small number of non-US credit cards were taken from SOE servers, as well.
It took Sony more than three weeks to finally resurrect services, after its first attempt was aborted (that's when Sony discovered that SOE servers got hit, too).
Talk about embarrassing.
When Sony's name came up in discussions by a Congressional subcommittee, a security expert said that Sony used versions of the open source Apache Web server software that went "unpatched and had no firewall installed."
Between the original PSN break-in, Sony's discovery later that SOE servers had been compromised, and this most recent issue, Sony's had a bad month. But even before that, Sony was targeted for retribution by the collective known as "Anonymous." The group staged a Denial of Service attack against Sony servers after Sony took legal action by a hacker named George Hotz (known by his online name Geohot); Hotz had successfully enabled PlayStation 3s to install alternate operating system software - a feature originally supported by Sony but later removed in a firmware update.
Sony really needs to get its act together and tighten security as much as possible.
In the interim, more and more gamers will likely do what I'm doing - playing their Xbox 360s using Microsoft's comparatively much more robust Xbox Live service.
Update: After this editorial was posted, Sony updated its PlayStation blog with the following statement:
"We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.
"Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up."
- PlayStation Network login flaw exposed
- Sony details free games for PlayStation Network users
- Sony relaunches PlayStation Network
- Protracted PlayStation Network outage causes gamers to cash in PS3s, games
- Sony delays PlayStation Network restart, citing SOE break-in
- Security expert testifies Sony servers went unpatched
- Sony implicates ‘Anonymous’ in PlayStation Network attack
- Sony security hole exposes another 24.6 million accounts