Arik Hesseldahl

Recent Posts by Arik Hesseldahl

Sony To PlayStation Customers: Hackers Got Us, And Now You Too

Sony has advised customers of its PlayStation Network for online gaming and its Qriocity online media store that unknown hackers have apparently breached their account information. Word of the breach, which Sony disclosed in a blog post, is the result of what it called an “external attack” that has kept the PlayStation Network offline for nearly a week.

“We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network.”

In an email that it is sending its 70 million-plus customers of the two services, Sony said it believes that the attackers obtained personal information associated with accounts, including names, addresses, email addresses, birthdates, usernames and passwords. It said there is “no evidence” that credit card accounts have been breached, but that it cannot rule out that possibility. “If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained,” the statement says.

The attackers may have also seen purchase histories. Sony also says that a class of lesser accounts, known as sub-accounts, that are usually held by adults for their children, have been breached. “If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained,” Sony’s statement says.

It’s the latest in a long string of breaches involving customer data. Last year Silverpop Systems suffered a data breach that forced several large companies including McDonald’s and Honda to advise people who had signed for marketing messages from their Web sites to change passwords they use on other sites. As with those incidents, Sony is asking customers to change any passwords they may also use on other sites. (Lesson: Don’t use a single password on more than one site.)

The breach opens Sony’s customers up to the possibility of other kinds of attacks using their information. Armed with one set of information, say the knowledge that they have an account on Sony’s PlayStation Network, an attacker could send a customer an email pretending to be Sony seeking an updated credit card number or could send one pretending to be from the target’s bank asking for account information. As Sony puts it:

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking.

Sony says it has hired an outside security firm to conduct an investigation into the incident, though it declined to name it. Its gaming service still hasn’t been restored, though it said it expects to have it up and running again within a week. The incident has marred the releases of two eagerly anticipated games on the PS3, Portal 2 and Mortal Kombat, leaving those who bought them playing only in non-network mode.