Sony shuts down PlayStation Network

Binh Nguyen 26 Apr, 2011 at 4:17pm ET Article published in Gaming

For you PlayStation 3 users out there, you might want to sit down—as you no doubt know, last Wednesday the PlayStation Network was taken offline. On Monday, Sony stated that it is keeping PSN offline indefinitely following an “outside attack” that compromised user’s information.

Sony is currently rebuilding the service, which connect more than 75 million PlayStation customers over the net. Sony Senior Director of Corporate Communications and Social Media Patrick Seybold said,

“I know you are waiting for additional information on when PlayStation Network and Qriocity service will be online. Unfortunately, I don’t have an update or timeframe to share at this point in time. As we previously stated, this is a time intensive process and we’re working to get them back online quickly. We’ll keep you updated with information as it become available. We once again thank you for your patience.”

The official word came today at about 1pm PST, directly from Seybold, on their blog:

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

So basically: If you have a PSN account, your information has been compromised. As soon as PSN is back online, log in and change your password. This is certainly not a good time to be a PS3 user, especially considering Mortal Kombat and Portal 2 have recently been released. If you are a PS3 user, are you going to switch over to Xbox Live?

Comments

26 Apr 2011 ~ 4:26pm Thrax wtvr even if psn is down ps3 is still better tan xbox three shitty lol 720p and no blue ray? xbox is garbage
26 Apr 2011 ~ 4:34pm GHoosdum lolmetafanboi is eerily accurate.
26 Apr 2011 ~ 5:04pm NiGHTS Firmware was released that essentially turned banned (or unbanned) boxen into PS3 dev boxen, which allowed virtual theft on PSN to take place. It wasn't a true dev box, but had enough necessary options to take advantage of the network. They've slammed the door shut by turning everything off, essentially.

Though I agree, it took a PSX scene insider to release that info.
26 Apr 2011 ~ 5:05pm UPSLynx Give me a frigging break. This is WAY worse than anyone anticipated.

Mother effing anonymous and their holy crusade against Sony. I don't know if this is their doing, but damn them all regardless.
26 Apr 2011 ~ 5:12pm UPSLynx I can't believe Sony waited six days to tell everyone that our personal information was compromised. They should have said that on day two.
26 Apr 2011 ~ 5:17pm Tushon I wanted to play fanboi too but Thrax is too good.

Lynx makes me giggle, but waiting 6 days is ridiculous given that it was way more than username/password.
26 Apr 2011 ~ 5:27pm RootWyrm

UPSLynx wrote:

I can't believe Sony waited six days to tell everyone that our personal information was compromised. They should have said that on day two.

Not just personal information. EVERYTHING they have on you. So yeah, time to cancel the credit cards and demand your (I believe) 3 years of credit monitoring since they lost enough to enable identity theft.

GOOD JOB SONY.
26 Apr 2011 ~ 5:45pm Cliff_Forster PC Bitches!
26 Apr 2011 ~ 6:24pm UPSLynx

Tushon wrote:

Lynx makes me giggle, but waiting 6 days is ridiculous given that it was way more than username/password.

That's what I'm saying. This is a huge deal, don't be hush hush and attempt PR damage control when you know that customers worldwide are dealing with an intrusion this massive. Say something, anything, early on just to inform, control the situation by investigation. Effers.
26 Apr 2011 ~ 7:19pm GHoosdum We are sorry your identity got stolen. Thanks for being a Sony customer.
26 Apr 2011 ~ 8:14pm Thrax
26 Apr 2011 ~ 8:38pm ardichoke

UPSLynx wrote:

mother effing anonymous and their holy crusade against sony. I don't know if this is their doing, but damn them all regardless.

he doesn't mean that. We anon. Plz not to be dossing us.
27 Apr 2011 ~ 1:15am primesuspect Bobby, from what I'm understanding this has nothing to do with anon. It was a compromise that allowed regular PS3s to connect to the PSN dev network. The breach was such that it revealed a fundamental architectural flaw in the way PSN was built. They opted to take it down and rebuild PSN to solve the issue moving forward.

This is all hearsay, but it seems plausible.
27 Apr 2011 ~ 11:16am Tushon Same hearsay I was reading, so it must be true. Why PSN dev network had any kinda access to normal customer DBs is beyond me though.
27 Apr 2011 ~ 12:09pm ardichoke

Tushon wrote:

Why PSN dev network had any kinda access to the Internet beyond me though.

FTFY... srsly, your dev network should be shielded from the net as a whole.
27 Apr 2011 ~ 12:28pm Tushon That too.
27 Apr 2011 ~ 12:33pm BobbyDigi Microsoft unbanned all their banned consoles this morning:
http://www.thetechgame.com/News/sid=1599/microsoftdungoofd.html

This is obviously a ploy to get PS3 players to go back to hackin... playing on their Sexbox.
27 Apr 2011 ~ 2:21pm Canti

Thrax wrote:

wtvr even if psn is down ps3 is still better tan xbox three shitty lol 720p and no blue ray? xbox is garbage

lol hav fun playing with urself and ur stolenm credit cards while im playin reach and gears off war ON LINE!!!! who evn cares about blu ray anyway oh wait u do! cuz now u can olny watch movies psnub

ps ps3 has no spoler> network!!!!!1 /spoilers<spoler netwrk="" spoiler=""></spoler>
27 Apr 2011 ~ 2:46pm UPSLynx

primesuspect wrote:

Bobby, from what I'm understanding this has nothing to do with anon. It was a compromise that allowed regular PS3s to connect to the PSN dev network. The breach was such that it revealed a fundamental architectural flaw in the way PSN was built. They opted to take it down and rebuild PSN to solve the issue moving forward.

This is all hearsay, but it seems plausible.

Yeah, you're probably right. I still want to hate on anon for all of their white knight bullcrap though.

Besides, they caused the outages before this shutdown. So that was additional inconvenience on their behalf. Beyond that, I wouldn't be surprised to find out the hacker that got in was part of this crusade.
27 Apr 2011 ~ 2:48pm UPSLynx Also - I like that Sony confirms EVERYTHING has been compromised, maybe with the exception of credit cards. Right. The hackers just wanted contact information and nothing else.

Can you imagine? It's like this hacker is the loneliest person to ever forever alone. He stumbles upon this little PS3 back door, and steals thousands of phone numbers in hopes of finding a friend. Ah, what a trooper.
27 Apr 2011 ~ 3:25pm MAGIC

UPSLynx wrote:

Also - I like that Sony confirms EVERYTHING has been compromised, maybe with the exception of credit cards. Right. The hackers just wanted contact information and nothing else.

Can you imagine? It's like this hacker is the loneliest person to ever forever alone. He stumbles upon this little PS3 back door, and steals thousands of phone numbers in hopes of finding a friend. Ah, what a trooper.

This will be easy to solve, just backtrace all the postcards being sent out from a common location.

/csi.
27 Apr 2011 ~ 4:14pm CB

MAGIC wrote:

This will be easy to solve, just backtrace all the postcards being sent out from a common location.

/csi.

If you take a photo of the server, then enhance it, you'll be able to see a fingerprint in the reflection of an eyeball, and then compare that to a digitized database of hackers, which will inexplicably flash through the faces of all of them as it compares the fingerprints. When it's done, you can pull up the guy's life story on the main holoscreen you have in the fingerprint lab, including photos of all the places he's ever lived, so that you can zoom in on one of them to form an establishing shot.

Of course, when you get there, he'll already be dead.
27 Apr 2011 ~ 4:16pm Thrax And he died of lupus.
27 Apr 2011 ~ 4:25pm Koreish
27 Apr 2011 ~ 4:27pm Tushon

UPSLynx wrote:

Yeah, you're probably right. I still want to hate on anon for all of their white knight bullcrap though.

[sarcasm]Yeah, I guess they haven't done anything worth being proud of [/sarcasm]

... but that would be a huge threadjack
27 Apr 2011 ~ 5:05pm ardichoke

Tushon wrote:

Yeah, I guess they haven't done anything worth being proud of ... but that would be a huge threadjack

except maybe the protests of Scientology?
27 Apr 2011 ~ 5:22pm Tushon

ardichoke wrote:

except maybe the protests of Scientology?

I meant wrap that in sarcasm quotes ... I thought it was oozing off the screen, but I have corrected it. I sometimes assume that people infer a lot more from other posts than is likely
27 Apr 2011 ~ 6:48pm UPSLynx Anon has turned themselves into a big joke, and no amount of DDoSing or guy fawkes masks can make me believe in them. And this comes as a regular user of said group's origin website.
27 Apr 2011 ~ 7:02pm BobbyDigi

UPSLynx wrote:

Anon has turned themselves into a big joke, and no amount of DDoSing or guy fawkes masks can make me believe in them. And this comes as a regular user of said group's origin website.

Believe.... in them?

Oh yes, right, there is nothing to believe in.
28 Apr 2011 ~ 2:28am Graphics Design Well, I hope the new infrastructure turns out a lot better for us PSN users and for Sony as well. It's going to be tough to get over this but if there's a company that can put up with so much scrutiny and overcome it, it's Sony. They've been the laughing stock of this gen and which this current situation does screw stuff up for them; it could possibly turn out better for them in the future. Since they are actually rebuilding PSN, I hope we really do receive new features like being able to change our PSN ID and etc. They better pack the new network w/ all types of new stuff. I mean, stuff I never thought possible to do/have on PSN. Oh Sony... Good luck (you're going to need it)
28 Apr 2011 ~ 11:51am GHoosdum

BobbyDigi wrote:

Oh yes, right, there is nothing to believe in.

Ve beleef in nussing, Lebowski!
28 Apr 2011 ~ 2:17pm Cliff_Forster My Brother, and avid PSN user reports getting a strange phone call in regards to his bank / credit card. He said it was an obvious phishing attempt, he says his email account linked to his PSN account has been bombarded with new phishing attempts and scams.

Coincidental? Perhaps not?
28 Apr 2011 ~ 3:35pm rolleggroll http://pastie.org/private/97oth9v5tspkiztwwdmnga

its an interesting read.
28 Apr 2011 ~ 3:54pm Tushon While interesting, that was annoying as shit to read ... hence my lack of activity in IRC ever.
1 May 2011 ~ 3:09pm NiGHTS
User Aftermathr from r/gaming has an awesome breakdown of the recent update:

These were the major points that I caught, let me know if I missed any or misinterpreted them. X-posted from r/ps3, hopefully no one minds. A lot of this seems to be summed up in the latest blog post as well: http://blog.us.playstation.com/2011/04/30/press-release-some-playstation-network-and-qriocity-services-to-be-available-this-week/

About the attack
- Not related to Anonymous, although they did bring up that they were being attacked by them for the past few months (repeatedly stated it was limited to DDoS).
- This intrusion was very skillful and passed their firewall and other security measures because it looked like a normal transaction. It then made a tunnel and had a command attached as a trigger, at which point it was able to be manipulated remotely.
- The attack used a known vulnerability. However, this vulnerability was not known to the management (really hope I understood that part correctly since it's a biggie). Since then, security measures have been improved against that mechanism of attack.
- Because it was an advanced attack and left "no traces", they didn't learn of it until the 19th/20th of April. They still aren't aware of the scope of the data compromised, but say that CC info was a low possibility, since it was stored in a different part of the database and not likely read.
- It took them until the 27th of April to confirm that data was compromised. They had been working with 3 different analysis entities starting from the 20th.
- Information of up to 78 million accounts were taken, but some were likely duplicate/backup accounts. They later were asked about sales data, said that 37 million PS3s and 16 million PSPs had connected to PSN (install base of 50/69mil). There were 10 million Credit Cards connected to PSN at some point.
- From what I understood, it seems that Sony will be doing more testing/inspection of its security measures to prevent future incidents like this. At the time though, SNEI believed their security to be good enough.
Compromised Information
- Hirai said that no improper CC usage has been reported and they have no evidence of CC info being compromised. They said that Sony will pay for CC reissuing and assist with monitoring/insurance programs for customers. If there are any improper charges, they will be handled on a case-by-case basis.
- CC info was encrypted and stored in a different part of the database from user personal information. Because of this, user information and CC information are being categorized separately.
- User passwords were not encrypted, but were hashed.
- Is still analyzing data of the attack, so they weren't saying a whole lot about what had been taken.
Investigation
- Entities from outside of Japan have contacted Sony and requested that they cooperate with their investigation process. FBI HQ seems to be the most involved currently. List of questions from USA House of Representatives has been received.
- Didn't give any more information, just said that investigations had been started globally.
- They weren't aware of the extent of the attack until the 27th of April, the conference was delayed because there was much more that they wanted to work out (in terms of compensation and other considerations).
Resumption of Services and Compensation
- PSN compensation and CC-type compensation are being considered separately. Sony says they will cover credit card reissuing fees and will assist with credit monitoring/insurance programs.
- Again saying that PSN will be online "within a week." Going to be incrementally bringing services back online. Different regions may see services at different times.
- All PSN users will get one free month of PSN+ (current PSN+ subscribers will also get 30 free days), Qrocity subscribers will get a free month, and there will be some titles available for free download. Will differ based on region and their plans are not finalized as of yet.
- All services to be back online within a month.
- As far as cost to Sony, they weren't sure and it'd vary by region, but $15-$20 for PSN+ and a few thousand yen for the titles.
Immediate Actions Being Taken
- Moving the data center from San Diego to a more secure location and adding new detection measures, firewalls, and encryption to make data more secure. Creating a new job position to monitor security. These things have already been done to an extent, but they wouldn't comment specifically out of security considerations.
- Sony is going to have a way for users to look at purchase history online (I think before PSN is actually up) to check for any abnormalities.
- Sony will allow users to leave PSN. They are looking into ways to refund any balances on PSN or PSN+ fees if those exist for the user. There was one conflicting answer about this, but I'm pretty sure they're working on a system to allow users to leave and erase their info if they desire.
- Firmware will need to be updated as soon as PSN is back up and users will need to change their password. Passwords can only be changed on the PS3 system the account was created or via a verified email address. That seemed like a super important point, but it was only mentioned once. However, that means people don't have to worry about a mad dash to change their password before a hacker does. As far as users changing a password from "A" to "B" and then back to "A," they'll alert users if they're doing something like that, or if it's close to their username or something.
- Apparently the updates in Japan were even slower than the ones in the US/EU, so in Japan they're probably going to set up a blog similar to the NA/EU.
- Tablet/NGP launch dates will not be affected.
- They'll possibly be taking measures against the root key thing, although this part wasn't clear and was there was a lot of rambling.
- Want to re-earn user trust as well as developer trust on the PSN ecosystem.
- They actually apologized for the incident!!
Edit: Concerning the datacenter being moved, "[Sony] also expedited an already planned move of the system to a new data center in a different location that has been under construction and development for several months." (from the us playstation blog post)
1 May 2011 ~ 3:26pm Linc Kenkel you just wrote an entire epic front-page feature as a forum post bulleted list.
1 May 2011 ~ 3:42pm NiGHTS I can't take credit for work that isn't mine, though...
3 May 2011 ~ 1:07am Canti uuuuuuuuuuuuuuuuuuuhhhhhhhhhh http://www.wired.com/gamelife/2011/05/sony-online-entertainment-hack/
3 May 2011 ~ 12:44pm Ryder Oh man!
3 May 2011 ~ 12:52pm ardichoke I hate to be that guy... but does anyone else feel like this is the kind of thing a company should expect when they sue someone for tweaking hardware that they legally purchased? I mean... if you're going to piss off the hacker community, you should really make sure you have your shit on lockdown. Not that I agree with what is being done.
3 May 2011 ~ 12:55pm Jokke You buy a car, and you trim the hell out of it, making it go way faster than it was manufactured for. Do you go on a rampage when you get caught for it?
3 May 2011 ~ 12:58pm ardichoke Except that geohot wasn't doing anything illegal. Better analogy, you buy a car and replace the engine with a more efficient one that gets you better gas mileage and faster acceleration. Toyota then sues you for modifying your car and telling other people how they could do the same. How is that in any way right?
3 May 2011 ~ 1:01pm Jokke It's not illegal to mod the PS3? Then I'm sorry, I was mistaken.
3 May 2011 ~ 1:07pm ardichoke Well... that's really the question here. Obviously Sony WANTS it to be illegal.... but at the same time, there really isn't any legal precedent for them to stand on. I mean, just logically speaking, why should it be illegal to modify something that you bought and legally own?
3 May 2011 ~ 1:49pm primesuspect There IS a legal precedent: the DMCA makes it illegal to "bypass" any form of copy protection.
3 May 2011 ~ 2:12pm ardichoke Right... but if you're modding without bypassing or affecting the copy protection then that wouldn't apply. For instance, restoring the ability to install another OS doesn't do anything to the copy protection.
3 May 2011 ~ 3:08pm Jokke Maybe there is some small print in the EULA. Nobody reads those things.
4 May 2011 ~ 1:09pm Basil Dunno if you guys have seen this but Sony are pointing the finger at anon.

We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named â€œAnonymousâ€ with the words â€œWe are Legion.â€

Sauce

See also Page 2, Point 4, Paragraph 4 of the letter to the U.S. House of Representatives.
4 May 2011 ~ 1:15pm Tushon Well, I'm not saying anon did or didn't do it (though they claim the anon ops channel or w/e was not involved), but anyone can plant a file misdirecting attention etc.
4 May 2011 ~ 1:23pm UPSLynx Effing anon.

Regardless of whether it was an act of propriety for Sony to sue Geohot or not, they, as a company, were exercising their right to protect their product and name. I don't blame them for taking action.

I am, however, utterly furious with Sony right now. This situation has been handled in a rather sloppy manner, and the sheer fact that so much personal information has been compromised is mind blowing. People will be talking about this for decades to come.
4 May 2011 ~ 1:28pm Cliff_Forster I'm not bright enough to follow the hacker trail, but I can tell you this is a disaster of epic proportions for Sony and its PR machine.

I'm in the process of re building my home theater. Right now, I have to strike Sony from the list of potential technology vendors. If I can't trust them with my personal info, how am I going to trust them on other aspects of their customer service and quality? I'm sure there are a few other guys that feel the same way. I guarantee, this bad PR will have a far reaching negative effect, like Toyota last year with the safety issues, Sony is going to suffer the same kind of losses across all of their core businesses. It won't just be isolated to gaming consoles.
4 May 2011 ~ 1:55pm Tushon

Cliff_Forster wrote:

like Toyota last year with the safety issues that were shown to be mostly operator error and people gunning for free money
4 May 2011 ~ 1:59pm ardichoke

Cliff_Forster wrote:

If I can't trust them not to arbitrarily remove features with their firmware updates, how can I trust them at all?

FTFY
4 May 2011 ~ 2:04pm Tushon

ardichoke wrote:

FTFY

+1
4 May 2011 ~ 2:06pm Cliff_Forster Agreed on the firmware comments. Just when you thought Sony was getting it together.... What a shame.