Sony Comes Clean: PSN Hackers Have Stolen Personal Data

Sony Comes Clean: PSN Hackers Have Stolen Personal Data

A security breach in the PlayStation Network by still unidentified hackers resulted in stolen personal information, Sony confirmed today.

The news comes more than nine days after the intrusion and six days after Sony shut down both the PlayStation Network and Qriocity services in reaction to the breach. Sony says they’ve hired a “recognised security firm” to conduct a complete investigation into what happened and have taken steps to enhance security and strengthen network infrastructure.

“We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorised intrusion into our network,” Patrick Seybold, senior director of corporate communications for Sony Computer Entertainment of America, wrote on the official Playstation Blog today.

Among the possible information stolen:

Address (city, state, zip)
Email address
PlayStation Network/Qriocity password and login and handle/PSN online ID.

There is no evidence that credit card data was taken, Seybold writes, but they company cannot rule out that possibility.

” If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained,” he wrote.

Sony is encouraging users to be especially aware of potential phishing scams from people using email, phone calls and mail to try and extract more personal or sensitive information from you. Sony also is strongly recommending that you change you password once you’re able to log back into the Playstation Network.

“To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports,” Seybold wrote

“We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1-800-345-7669 should you have any additional questions.”

Update on PlayStation Network and Qriocity


  • Sadly, I somehow suspect this is more spin from Sony. Something as important as users personal details being compromised would (should) be acknowledged immediately so users can take steps to protect themselves and their bank accounts. An intrusion of this magnitude would also attract the attention of law enforcement including, but not limited to, the FBI.

    At this point I would take anything Sony have to say about this with a grain of salt. A grain of salt the size of a VW Beetle…

      • I didn’t say I “don’t” believe them – only be wary of the ‘official’ story. Seven days to report a breach of 70 million user accounts? Somehow I think that’s a tad important to inform account holders from day one.

        Even Vodafone didn’t wait 7 days to inform the public their customer database had been compromised.

        • Sony should be properly worried about this. While the parent/child owners of the PS3 probably wont be to concerned about this (unless their credit card is suddenly maxed after buying 5 kilo’s of russian pseudoephedrine), enthusiast gamers will be enraged. Like, leaving the playstation brand and never coming back enraged. As a 360 owner, over the years, I have had many a good laugh at Sony’s hamfisted PR, but this is some transcendentally, comically bad stuff. Its kind of chilling how little they respect their customers, because 7 days? Jesus.

  • Thanks for waiting so long to tell me, Sony. Rather than be honest and upfront you’ve opened millions up to potential debt and stolen funds.

    Cancelling my card just incase.

    • And already, we have one more person who failed to read the part about there being no evidence that credit card information was compromised.

      • They said:

        “If you have provided your credit card data through PlayStation Network or Qriocity, it is possible that your credit card number (excluding security code) and expiration date may also have been obtained.

        f4cti0n is just doing the sensible thing and being cautious. I did the exact same thing and cancelled my credit card. A breach of this size and seriousness, it just makes sense to take those precautions. It’s stupid to not do so.

        • No, see, I also cancelled my card. That is sensible. The “Cancelling my card just incase.” part of the comment is fine.

          It’s the “Thanks for waiting so long to tell me, Sony. Rather than be honest and upfront you’ve opened millions up to potential debt and stolen funds.” part where we move into sensationalist territory.

          • FYI “potential” does not equal “certain”.

            I’m just playing it safe and wanted Sony to advise us earlier if they had doubts.

            Jesus, it’s like I’m making a personal attack on you or something. Calm down.

      • And another person who failed to read the next part saying they can’t rule out the possibility that it wasn’t taken.

        With Sony taking its sweet ass time to inform us, you cant be too cautious.

  • Can Kotaku confirm with Sony whether this is localised to the US or whether it applies to Europe/Asia-Pacific PSN accounts as well? While I see no reason why it wouldn’t, all I’ve seen quoted so far is the Sony America quote (with its specific-to-America advices).

  • This is disgraceful.

    I’ve been trying to limit the number of places that have my credit card details and this just confirms why that’s a good idea.

    I’ve removed my cc from Xbox Live and will be doing the same thing with PSN when it eventually comes back up. I’ll only use prepaid cards in the future.

  • I don’t understand how they could actually steal passwords. I mean, presumably the passwords would be stored in an encrypted format so that even if they were stolen they couldn’t actually be used. Unless… of course… they WEREN’T encrypted… god damn you, Sony.

    You get a bunch of absolute geniuses to build your console, then get a few semi-trained baboons to put together the online service.

    I’m just grateful that my credit card actually expired last week and, thanks to the outage, I haven’t been able to update my account with the new credit card details.

    • apparantly, some hackers looked into it a couple of months ago and found that passwords and credit card details were sent to Sony unencrypted, and my guess is that its possible they found a method at which to obtain such data.

      If this is the case, i feel like a complete dunce about it, as i believed that after the security breach earlier this year, that wouldnt be probable but i was wrong.

      As for the hackers, you’ve kicked the hornets nest, now be prepared for hell to hail down on you as i hope this “investigation team” finds you and brings justice to your sorry ass.

      And Sony, if your files were sent unecrypted, then this was bound to happen, and should have been addressed before the console came out and the psn went live.

      and like i said before, Geohot was the one that started all this, so we should all go falco punch him.
      (oh and isnt it ironic they settle the court case before this happens? seems to me this was a planned attack, otherwise Geohot would have faced more allegations against besides piracy. Just a thought)

    • A hack long ago revealed that Sony DOES NOT encrypt that personal information when it’s sent over the internet. Sony have known about this flaw in their system for about 6 months and did nothing.

      • Yeah, I knew they’d discovered that back when the FailOverflow/Geohot thing happend back around xmas time. I guess I just kind of assumed that was one of the obvious things that would have been fixed in that last firmware update.

        Not sure which is stupider, now – Sony for not fixing it, or me for thinking they would have.

    • Agreed. I was previously willing to give Sony the benefit of the doubt and assume that the hack may have been somewhat sophisticated, but if they were storing plain text passwords instead of hashing them as even the most junior developer should know, then sheer incompetence seems the most likely explanation for this hack.

    • I bet they just hash the password and store it in a database so it’s not human readable. I argued here not to do that and we ended up using more robust and rigorous encryption algorithms to store user data. Windows OS does the same, it stores usernames/passwords as hashes. So you can get that little linux boot CD that resets/changes users passwords in Windows XP through to Windows 7 giving you admin access to any Windows box. Secure stuff! But funny if you want to change a friends desktop background to Osama Bin Laden’s face.

      • Hashes are fine, and are actually preferable over encryption, you simply need to implement it in a sane manner by choosing a good hashing algorithm, salting correctly, and if your hashing algorithm doesn’t already, rehashing again many times over.

      • I do not mean to be rude, but this a problem with an online service – it doesn’t matter what the client system is, console or PC.

        And for the love of life, can we please drop that “PC gaming is dying/cripped/hampered/etc” oxymoron. It’s like the death ray myth on Mythbusters – busted more than enough times already.

        • That was my point. A good number of PS3 owners (well console owners really) have falsely stated for a while that “PC gaming is dead” – they’re wrong.

          On the flip side, I don’t see many PC gamers having their credit card details put at risk by an un-encrypted system, on Steam for example. In fact Steam have beefed their security by requiring users who login, via a different PC than their usual, to enter an access key that is emailed to their account email. Something Sony should have considered for Dev boxes maybe?

  • Relax. If people’s funds get misappropriated due to improper security on Sony’s part, there will probably be a class action lawsuit. If Sony genuinely thought that people’s credit cards were in danger I’d have thought that they would give as much forewarning as possible – just to reduce liability on their part.

    • If that happens I think your credit card company will cover the losses from the dodgy transactions provided you notify them as soon as you find out about the possible breach and cancel the card.

      Of course the credit card companies might then want to have a word with Sony.

  • Two questions:

    Firstly, what kind of fucking response is this? An open letter on a blog? What about mom and pop who let little Jimmy use their credit details to buy PSN content. How are they meant to know what kind of risk Sony has placed them in?

    Second question: If the rumour that users spoofing dev consoles was true, WHY ARE OUR PERSONAL DETAILS STORED IN A LOCATION THAT ANYONE WITH A DEV UNIT CAN ACCESS?

  • So the stories go…

    God created the world in 6 days and rested on the 7th.

    Sony let our personal information get pinched in 2 days, kept quiet for a further 4 days, shut down the PSN for 6 days and told everyone on the 9th.

    It would be funny if it weren’t so serious…

  • So….
    How do we change our passwords if you can’t sign in!
    Awesome work Sony.
    It even made the main news bulletin on ABC24

    • Not that I’m familiar with the PSN that much, but maybe through their website. I’m pretty sure you can for your Xbox Live account.

      This is pretty bad, but hey, will teach them a lesson!

      Although the users don’t deserve this, Sony need to realise they’re not as big as they think they can be.

      • I just tried that idea – clicked ‘Sign in’ on the Australian Playstation Web site.

        Got an error page saying I can’t log in.

        I am definitely removing my card information from my account once it’s back up. I might even do it for my XBLA account as well and hold off until both opt for PayPal.

  • Can we blame that idiot who jailbreaked the ps3 for this? Please? Just a little? Can we also blame every idiot who stood up for him and defended him? I just hope the little bastard is feeling quite stressed that he didn’t help matters by putting on his little public show and giving hackers these kinds of tools.

Show more comments

Log in to comment on this story!