05:35 PM
Connect Directly

Sony Reels From Massive Customer Data Breach

PlayStation account-holder data likely still at risk.

Sony is facing the ire of online-game-playing customers, and the scrutiny of security analysts, in the wake of attacks that exposed the account information of more than 100 million people.

Sony suspended its online games in early May "until we could verify their security," the company said. This came after it learned attackers had gotten access to more than 70 million account identities on its PlayStation Network and Qriocity services, followed by a second disclosure that 24.5 million additional user accounts had been compromised in mid-April. That second breach hit Sony Online Entertainment division systems; SOE is best known for its massively multiplayer games, including EverQuest II and Clone Wars Adventures.

Sony said it initially thought SOE customer data hadn't been stolen in the attacks. Information affected may include a user's name, address, email, gender, birth date, and phone number, as well as login name and a hashed password.

And, in a warning to companies that don't have solid data-deletion practices, Sony said hackers may have nabbed some credit card data from "an outdated database from 2007" containing about 12,700 credit or debit card numbers and expiration dates and 10,700 direct-debit records listing bank account numbers.

Sony protected the passwords that were stolen using "a cryptographic hash function," not encryption, a problem because hashing can have limits. Earlier this year, for example, to demonstrate weaknesses in the SHA1 secure hash algorithm, German security researcher Thomas Roth rented $2.10 of computing power from Amazon's EC2 cloud to crack 14 SHA1 hashes.

The fallout from attackers getting user names and passwords may be significant since many people use the same credentials on multiple sites, including banking sites. Another worry is that the data may end up built into a botnet, which could use stolen but legitimate credentials to bypass spam filters and security defenses.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

Published: 2014-09-19
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.

Published: 2014-09-19
Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

Published: 2014-09-19
Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets.

Best of the Web
Dark Reading Radio