Hackers selling PSN data of over 2.2 million users [4/29/2011]

There are rumors that the hackers have the personal info (names, addresses, creditcard numbers, etc) of over 2.2 million users and tried to sell it back to Sony but with no reply. So now they are trying to sell them the highest bidder.

From; http://bits.blogs.nytimes.com

Security researchers said Thursday that they had seen discussions on underground Internet forums indicating that the hackers who infiltrated the Sony PlayStation Network last week may have made off with the credit card numbers of Sony customers.

The comments indicated that the hackers had a database that included customer names, addresses, usernames, passwords and as many as 2.2 million credit card numbers, the researchers said.

Kevin Stevens, senior threat researcher at the security firm Trend Micro, said he had seen talk of the database on several hacker forums, including indications that the Sony hackers were hoping to sell the credit card list for upwards of $100,000. Mr. Stevens said one forum member told him the hackers had even offered to sell the data back to Sony but did not receive a response from the company.

Although several researchers confirmed the forum discussions, it was impossible to verify their contents or the existence of the database.

When asked about the hackers’ claims, Patrick Seybold, senior director of corporate communications and social media at Sony, said, ”To my knowledge there is no truth to the report that Sony was offered an opportunity to purchase the list.” Mr. Seybold also pointed to a blog post Sony published Thursday that said: “The entire credit card table was encrypted and we have no evidence that credit card data was taken.” Sony has said that it could not rule out the possibility that hackers might have obtained credit card data.

“Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers,” said Mathew Solnik, a security consultant with iSEC Partners who frequents hacker forums to track new hacks and vulnerabilities that could affect his clients. Mr. Solnik said that people on the forums had details about the servers used by Sony, which may indicate that they had direct knowledge of the attack.

Mr. Solnik said researchers believe that the hackers gained access to Sony’s database by hacking the PS3 console and from there infiltrating the company’s servers.

Dan Kaminsky, an independent Internet security specialist, said in a phone interview that he had also seen forum posts about a Sony credit card database, but he said he could not confirm who was behind the attack. “These attacks just keep getting larger and larger and larger,” he said. “The security measures technology companies employ today are just not robust enough.”

The San Diego office of the Federal Bureau of Investigation, which is helping Sony with its inquiry into the hacking incident, declined to comment.

"Screenshots" from PSX-Scene forums

Victim of the PSN outage

This is what happens when you take down the PSN. The horror, the mayhem, the outrage, and the victims. The hearts of young men and women are put to the test. Some survive, most fall.

Here is a video of one such man who is about to completely lose it and this was uploaded back on Saturday, April 23, 2011. Even before Sony announced that personal data may have been stolen during the security breach.

[youtube http://www.youtube.com/watch?v=_xKV9BFEEXQ&w=560&h=349]

"Remember when the PS3 controller was supposed to look like this?"

PSN Outage FAQs [Updated: 04/29/2011]

It's been a week! Here are some questions that have been answered by Sony regarding this "criminal intrusion".

UPDATE: 04/28

Q: Are you working with law enforcement on this matter? A: Yes, we are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.

Q: Was my personal data encrypted? A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Q: Was my credit card data taken? A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

Q: What steps should I take at this point to help protect my personal data? A: For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.

Q: What if I don’t know which credit card I’ve got attached to my PlayStation Network account? A: If you’ve added funds to your PlayStation Network wallet in the past, you should have received a confirmation email from “DoNotReply@ac.playstation.net” at the email address associated with your account. This email would have been sent to you immediately after you added the funds, and will contain the first 4 digits and last 4 digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.

Q: When or how can I change my PlayStation Network password? A: We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.

Q: Have all PlayStation Network and Qriocity users been notified of the situation? A: In addition to alerting the media and posting information about it on this blog, we have also been sending emails directly to all 77 million registered accounts. It takes a bit of time to send that many emails, and recognize that not every email will still be active, but this process has been underway since yesterday. At this time, the majority of emails have been sent and we anticipate that all registered accounts will have received notifications by April 28th. Consumers may also visit www.us.playstation.com/support and www.qriocity.com for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed.

Q: What steps is Sony taking to protect my personal data in the future? A: We’ve taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network and Qriocity services and, second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.

Q: Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information? A: We are currently conducting a thorough investigation of the situation and are working closely with a recognized technology security firm and law enforcement in order to find those responsible for this criminal act no matter where in the world they might be located.

Q: When will the PlayStation Network and Qriocity be back online? A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.

UPDATE: 04/29

Q: Will our download history/friends list/settings be affected by the PSN downtime? A: No, they will not.

Q: Will trophies that were earned in single-player offline games during the outage be intact when the service resumes? A: These trophies are intact and will be re-synched when the network is once again operational.

Q: Will my PS+ cloud saves be retrievable? A: Yes, once PSN is restored.

Q: What if we have a subscription to PS3 MMOs DC Universe Online or Free Realms? Will we get compensation for that? A: From Sony Online Entertainment: “We apologize for any inconvenience players may have experienced as a result of the recent service interruption. As a global leader in online gaming, SOE is committed to delivering stable and entertaining games for players of all ages. To thank players for their patience, we will be hosting special events across our game portfolio. We are also working on a “make good” plan for players of the PS3 versions of DC Universe Online and Free Realms. Details will be available soon on the individual game websites and forums.”

Q: Will there be a goodwill gesture for the time we haven’t been able to utilize PSN/Qriocity? A: We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online.

Source [Playstation.Blog]

And the PSN Outage’s First Class-Action Lawsuit is Already Filed - 4/28/2011

All I can say is... wow. Great job Sony.

From; Kotaku

If the Great PlayStation Network Blackout is going to cost Sony $24 billion, as some estimate, you bet some hunk of that is going to be paid to lawyers, and already they are lining up. A California law firm today filed a lawsuit that seeks class action status, alleging Sony didn't follow industry practices to protect its 77 million PSN customers, who were harmed by "one of the largest data breaches in the history of the Internet."

The Novato, Calif.-based Rothken law firm brought the suit on behalf of plaintiff Kristopher Johns. The 22-page complaint (read it here, .pdf). It alleges Sony violated the Payment Card Industry Data Security Standard, which is meant to protect credit card data, and didn't follow legal requirements to protect customer records.

Sony's early public statements concerning the outage, followed by the revelation of the security breach five days later, also constitute a failure to appropriately warn customers they were at risk.

No dollar figure is cited in the complaint, but it seeks the full range of damages - compensatory, statutory, and punitive. And lawyers' fees, too.

Link ChevronClass Action Lawsuit Brought Against Sony Over PSN Data Breach [Gamasutra]