Sony is facing the ire of online-game-playing customers, and the scrutiny of security analysts, in the wake of attacks that exposed the account information of more than 100 million people.
Sony suspended its online games in early May "until we could verify their security," the company said. This came after it learned attackers had gotten access to more than 70 million account identities on its PlayStation Network and Qriocity services, followed by a second disclosure that 24.5 million additional user accounts had been compromised in mid-April. That second breach hit Sony Online Entertainment division systems; SOE is best known for its massively multiplayer games, including EverQuest II and Clone Wars Adventures.
Sony said it initially thought SOE customer data hadn't been stolen in the attacks. Information affected may include a user's name, address, email, gender, birth date, and phone number, as well as login name and a hashed password.
And, in a warning to companies that don't have solid data-deletion practices, Sony said hackers may have nabbed some credit card data from "an outdated database from 2007" containing about 12,700 credit or debit card numbers and expiration dates and 10,700 direct-debit records listing bank account numbers.
Sony protected the passwords that were stolen using "a cryptographic hash function," not encryption, a problem because hashing can have limits. Earlier this year, for example, to demonstrate weaknesses in the SHA1 secure hash algorithm, German security researcher Thomas Roth rented $2.10 of computing power from Amazon's EC2 cloud to crack 14 SHA1 hashes.
The fallout from attackers getting user names and passwords may be significant since many people use the same credentials on multiple sites, including banking sites. Another worry is that the data may end up built into a botnet, which could use stolen but legitimate credentials to bypass spam filters and security defenses.