On April 20th, the PlayStation Network (PSN) went offline for “maintenance.” Here we are, on April 26th as I write this, and it is still down. A lot has happened in the last two days regarding information as to what has happened, and the answers we are getting are, to be frank, frightening. To put it bluntly, if you own a PlayStation 3 (PS3) or a PlayStation Portable (PSP), and have created a PSN account to use online features, buy games online, etc, a good majority if your personal information has been compromised. The list of what has been compromised is below:
· Billing Address
· Email address
· PSN login name and password
· Password security answers
· Purchase history
None of that is good, but the two bolded items are especially scary. I will get to that in a bit.
Sony has stated that this information was obtained during an “illegal and unauthorized intrusion into our network” that occurred between April 17th and 19th. Sony also states that while there is no evidence any Credit Card numbers or information has been compromised, they cannot rule out that possibility.
I’m not usually one to blow on a trumpet and say “this is scary” for a hack into a corporate network, it happens a lot more often than people realize. But this particular attack is frightening, for several reasons.
The first is that the attackers were able to obtain the actual user passwords. Anyone who has any knowledge of computer security whatsoever knows that one of the most basic principles of security is that passwords are stored in what is called a hash, which is a type of storage which is useless to anyone looking at it. A password would be stored as a series of random letters and numbers which cannot be reverse engineered to what the actual password is, as each hash is unique. To put it simply, if Sony had put the passwords in any secure matter whatsoever there would be no chance at all that they could have been compromised.
If you are a person who uses the same password for every account, this means that you should, right now, go and change your password for every other online service you use. I’m not kidding here. I’ll even wait for you to do it before I continue this post…….
Ok, now that that’s done, the second item, which could actually be worse, is that password security answers have been compromised. Those are the answers to the questions that you have to answer when you forget your password, the questions like “what is your mother’s maiden name?” or “what was your first pet’s name.” Having the answers to these questions doesn’t’ affect your PSN account, since they have your password anyway, but this means that even if you change it they have the answers to the questions that would let them change it again. And again, if you have used the same questions and answers to any other service, the potential exists for the attackers to compromise your passwords on other accounts, and again, even if you change the passwords, they can use these answers to get the new password.
Changing your security questions is likely harder than changing your password, but in the case of this breach, it is as important, if not more important than, changing those as well.
Again, Sony does say that there is no evidence that actual Credit Card numbers have been compromised, but that possibility does exist. I wouldn’t say you need to cancel your credit card associated with your PSN account right now, I’m not, but I will be watching it like a hawk for the foreseeable future.
Where does that leave us? Well this is a pretty significant breach, and one of those events that really should make everyone take a step back and think about their online presence, and how they protect themselves. The attackers in this case have more than enough information to steal a person’s identity, and potentially the ability to compromise every online account you have, possibly even an online bank account login. There’s really no way to sugar coat that, they have the info, it’s possible.
Now, honestly, the part I’m least worried about here is the possibility of identity theft. That may seem odd, but to be totally honest, if someone really wanted to get the information needed to steal my identity, it’s probably all on the internet anyway. Sure, this packages it up nicely for the attackers, but I’m 100% sure that I have, at least once, posted every bit of information needed. Does that scare me? When I write it out like I just did and really realize it, it kind of does. Do I worry? A bit, but not as much as I thought I would. It’s no different than if I, say, lost my wallet, or if someone intercepted my mail. If someone really wants to steal my identity, they’re going to do it, regardless of any safeguards I take.
What really worries me is the fact that Sony was apparently so careless with user passwords. I am simply at a loss for words as to how this attack could have compromised actual user passwords. At my workplace, I have administrative access to every computer, server, and bit of information in the entire company. But there is physically no way for me to tell what someone’s actual password is. Sure, I can create a new password for someone when they forget theirs, but there is physically no way for me to find out what their current password is. The fact that the PSN is apparently not set up in the same matter is one of the most careless security practices I have ever heard of.
I have personally changed my password on every service I remember I’ve signed up for that may use that password. A few services, like my banking website and my primary email address, use completely different passwords that cannot be obtained through any part of this attack, should be safe, but I’m still a bit worried about them. But what about “random online service” that I signed up for 2 years ago that I absolutely cannot remember? If it used the same password that was on my PSN account, that account is compromised, and it’s possible that I could have personal information on those accounts that may be able to compromise me further. This attack has made me realize that I need to write down every online service I’m signed up for, not the passwords, maybe not even the usernames, but just the service so I know where I have accounts that have the potential to be compromised, because I am at risk here, and the fault is Sony’s.
As I’ve said above, I’m not usually one to panic when I hear about a company getting attacked and some information getting compromised, because most of that information is likely somewhere to be stolen anyway. But the severity of this attack is alarming, and has eroded almost all of the trust I had in Sony has a company. Am I going to throw my PS3 out? No. but I’m going to think long and hard about ever giving my Credit Card information to that company ever again. Sony had my trust, and they have now lost it. I’m not sure if they will ever be able to get it back.
Below are links to the articles I used in my post, including the official statement from Sony on the PlayStation Blog
[read] – Sony
[read] – This is my next…
[read] – Engadget