Attacks/Breaches
5/4/2011
05:35 PM
50%
50%

Sony Reels From Massive Customer Data Breach

PlayStation account-holder data likely still at risk.

Sony is facing the ire of online-game-playing customers, and the scrutiny of security analysts, in the wake of attacks that exposed the account information of more than 100 million people.

Sony suspended its online games in early May "until we could verify their security," the company said. This came after it learned attackers had gotten access to more than 70 million account identities on its PlayStation Network and Qriocity services, followed by a second disclosure that 24.5 million additional user accounts had been compromised in mid-April. That second breach hit Sony Online Entertainment division systems; SOE is best known for its massively multiplayer games, including EverQuest II and Clone Wars Adventures.

Sony said it initially thought SOE customer data hadn't been stolen in the attacks. Information affected may include a user's name, address, email, gender, birth date, and phone number, as well as login name and a hashed password.

And, in a warning to companies that don't have solid data-deletion practices, Sony said hackers may have nabbed some credit card data from "an outdated database from 2007" containing about 12,700 credit or debit card numbers and expiration dates and 10,700 direct-debit records listing bank account numbers.

Sony protected the passwords that were stolen using "a cryptographic hash function," not encryption, a problem because hashing can have limits. Earlier this year, for example, to demonstrate weaknesses in the SHA1 secure hash algorithm, German security researcher Thomas Roth rented $2.10 of computing power from Amazon's EC2 cloud to crack 14 SHA1 hashes.

The fallout from attackers getting user names and passwords may be significant since many people use the same credentials on multiple sites, including banking sites. Another worry is that the data may end up built into a botnet, which could use stolen but legitimate credentials to bypass spam filters and security defenses.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4467
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attackers to spoof the UI via a crafted web site.

CVE-2014-4476
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4477
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4479
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4480
Published: 2015-01-30
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.