Security Experts:

PlayStation Network Hacked: User Data Compromised

PlayStation Breach, Network Hacked: Sensitive User Data Compromised

PlayStation Network BreachSony today alerted users that an unauthorized person has obtained significant pieces of personal data including, name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID of its PlayStation Network users.The company also warned that profile data, including purchase history and billing address (city, state, zip), and PlayStation Network/Qriocity password security answers may have been obtained. With the PlayStation Network having over 75 Million registered users, we have a massive breach here. Yes, another one.

Sony says the network could be down for up to another week. Sony had intentionally "shut off" access to the PlayStation Network last Wednesday, presumably when the breach occurred.

While it’s not known who is responsible for the intrusion, many were initially pointing fingers at Anonymous, the “Hacktivist” group that gained much visibility over Wikileaks and music industry related attacks. The group had recently targeted Sony Web properties with DDoS attacks in response to a lawsuit that Sony had filed against Georg Hotz, an American hacker who discovered how to unlock (jailbreak) the PlayStation 3 console's operating system. 

But the Anonymous group says it’s not behind the incident saying earlier this week, “For Once We Didn't Do It.” In a post to the site the group uses to update the world on its latest initiatives, the group wrote, “While it could be the case that other Anons have acted by themselves AnonOps was not related to this incident and takes no responsibility for it. A more likely explanation is that Sony is taking advantage of Anonymous' previous ill-will towards the company to distract users from the fact the outage is actually an internal problem with the companies servers.”

Below is from an update from Sony as of this afternoon:

Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

1. Temporarily turned off PlayStation Network and Qriocity services;

2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and

3. Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

We will continue to update this Sony PlayStation breach incident and provide additional information as we are able to get it.