Page 1 of 4 1234 LastLast
Results 1 to 25 of 82

Thread: PSN and Eidosmontreal.com hacked

  1. #1
    Join Date
    Apr 2001
    Location
    Mater Urbium
    Posts
    27,488

    PSN and Eidosmontreal.com hacked

    As you probably already know, Sony's PlayStation Network has been hacked.

    The hackers gained access to personal customer data such as name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity handle/PSN online ID and password. Possibly even credit card information, although that is not sure yet.

    Now, what I don't understand is why customer's passwords were up for grabs in the first place.

    As a webmaster/web designer, I know that passwords of customers should never ever be stored in your website's database!


    Any large and professional website obscures passwords with encryption (MD5 hashing for example, which is what I use for my users) once a new user registers an account. This makes it so that even the company's employees cannot see customer's passwords.

    This makes just common sense. A password is nobody's business but your own!

    But I guess since Sony didn't even bother to take this crucial security check, it is no wonder that their server ended up being hacked, because if you oversee such a basic security flaw, who knows what [other holes they left in their system]

    Driber.net | Forum Thumbnailer | Driber Wagon™ | RAWR! | TR Ancient Legends III - Lost Chambers | -- .- .-. .. . / .. ... / -.-. ..- - . :-)

  2. #2
    Join Date
    Dec 2001
    Location
    UK
    Posts
    1,295
    I've had this same arguement with some people on twitter, it's a fundamental base for any concept of useraccount system as far as I was aware and the fact that it was ignored raises some serious questions.

    Plus I'm bloody annoyed that my most secure password is now out there so having to change several passwords due to the variations of it I used (yes I know you shouldn't use the same password, having it for 7 years though without issue proves the point that a secure password with carefull usage does work!) - Now it'll probably take me ages to think up of a password with similar complexity and flexibilty that the old one had

  3. #3
    Join Date
    Jul 2009
    Posts
    3,055
    I couldn't agree more Driber. My company stores passwords in our database using one-way encryption. You input the password, and it stores the encrypted string. The way it verifies your password is by encrypting what you type and seeing if it matches what was saved. Why Sony doesn't have something like this is just unfathomable.

    By the way, anyone who is worried that your credit card info may be at risk from the attack should call your bank and CANCEL the card. I went to my bank today and they told me that I wasn't at risk because no charges have been made to the account since I mentioned the attack, but if I knew about the risk of the number being stolen and chose not to do something about it, the bank is not liable for any charges that are made on the card. Do not just sit there thinking that it will be "ok", take action. Even if you have to pay $10 for a new card, that will be much better than someone stealing your credit card.

    The other thing that I'm just really ticked about is that for a while Sony said "we have no new information at this time". Why wouldn't they say "it's possible that information was leaked during the attack". Instead, they waited nearly 10 days before telling people that every scrap of info you put on the PSN may have been compromised.
    PSN: Nemesis296
    XBL/GFWL: HyperN3mesis

  4. #4
    Join Date
    Apr 2001
    Location
    Mater Urbium
    Posts
    27,488
    Quote Originally Posted by Nemesis296 View Post
    I went to my bank today and they told me that I wasn't at risk because no charges have been made to the account since I mentioned the attack
    Wow, that is unbelievable ignorant and irresponsible of a bank to tell you that

    Your bank obviously has a poor (none?) cyber crime team, or at least poorly trained clerks.

    When a credit card number is stolen, it might take days or weeks until a thief actually steals your money. To say that your card is safe just because nothing has been stolen *yet* is ridiculous.

    Often, stolen credit card numbers are not used by the initial thief to steal your money and it can take a while until you see something actually happening. Cyber criminals sell credit card numbers to other criminals, so that the initial thief stays out of the spotlight.

    Would you care to tell us the name of your bank, so we'll know which one to avoid?

    Driber.net | Forum Thumbnailer | Driber Wagon™ | RAWR! | TR Ancient Legends III - Lost Chambers | -- .- .-. .. . / .. ... / -.-. ..- - . :-)

  5. #5
    Join Date
    May 2003
    Location
    Maryland, USA
    Posts
    7,649
    I think that's Bank of America's policy to wait until the card has been used fraudulently before calling them and having them cancel the charges. Though, you can still call and cancel your card at any bank if you think it's at risk and have them issue you a new one.

  6. #6
    Join Date
    Jul 2009
    Posts
    3,055
    I probably should clarify what I meant (I was typing 100 mph).

    I went to my bank today and they told me that I wasn't at risk because no charges have been made to the account since I mentioned the attack, but if I knew about the risk of the number being stolen and chose not to do something about it, the bank is not liable for any charges that are made on the card.
    Translation: I went to my bank today and when I told them that my card number may have been stolen through the hack on the PlayStation Network. They looked up the card and said that no charges have been made to the card since the attack was announced. They told me that if I still thought it may have been stolen I should order a new card and immediately cancel the old one. I took their advice and ordered a new card which will have a new number/PIN, everything. If I chose not to cancel the card and knowingly make charges on the card when it may have been stolen, that constitutes negligence on my part and the bank could not be held accountable for the charges, mine or from the stolen party.

    My point is, though we don't know for sure if the credit card information was stolen from Sony or not, the fact they are hinting that it might have been means that I'm not going to wait around another 10 days for someone to potentially use my card info if it was obtained.

    My bank is a private credit union and they take security very seriously, but then again you wouldn't really expect that your insurance company would pay for something after you were told that it might happen and you did nothing about it would you?

    Also, another reason why I was particularly alarmed about the card was the fact that it was a debit card, and the only limitation on that I have is $1000/day. Even with that kind of money being spent, my bank account would feel the hurt. Badly.
    PSN: Nemesis296
    XBL/GFWL: HyperN3mesis

  7. #7
    chip5541 is offline Battlestations: Midway Lieutenant Commander
    Join Date
    Aug 2006
    Posts
    5,513
    I dread having to go to all my sites and change the password.
    Q: Are you working with law enforcement on this matter?
    A: Yes, we are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.

    Q: Was my personal data encrypted?
    A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

    Q: Was my credit card data taken?
    A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

    Q: What steps should I take at this point to help protect my personal data?
    A: For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.

    Q: What if I don’t know which credit card I’ve got attached to my PlayStation Network account?
    A: If you’ve added funds to your PlayStation Network wallet in the past, you should have received a confirmation email from “DoNotReply@ac.playstation.net” at the email address associated with your account. This email would have been sent to you immediately after you added the funds, and will contain the first 4 digits and last 4 digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.

    Q: When or how can I change my PlayStation Network password?
    A: We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.

    Q: Have all PlayStation Network and Qriocity users been notified of the situation?
    A: In addition to alerting the media and posting information about it on this blog, we have also been sending emails directly to all 77 million registered accounts. It takes a bit of time to send that many emails, and recognize that not every email will still be active, but this process has been underway since yesterday. At this time, the majority of emails have been sent and we anticipate that all registered accounts will have received notifications by April 28th. Consumers may also visit www.us.playstation.com/support and www.qriocity.com for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed.

    Q: What steps is Sony taking to protect my personal data in the future?
    A: We’ve taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network and Qriocity services and, second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.

    Q: Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information?
    A: We are currently conducting a thorough investigation of the situation and are working closely with a recognized technology security firm and law enforcement in order to find those responsible for this criminal act no matter where in the world they might be located.

    Q: When will the PlayStation Network and Qriocity be back online?
    A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.

  8. #8
    I'm not too concerned. I mean, there are over 77 million PSN users. That's a one in seventy-seven million chance that that hacker is going to screw you over with all your info. Even if he does have all of the information from the 77 million users, it'll take him a while to eventually get to you. Let's say he takes one day for every three accounts to screw them over. That's 25.7 million days to actually use everyone's information. I am not worried about my information, even in the slightest.
    signature image

  9. #9
    Join Date
    Apr 2001
    Location
    Mater Urbium
    Posts
    27,488
    Wow, they dare speak of a "sophisticated security system" when passwords were stored in plain text format?

    Quote Originally Posted by Rocket Propelled Rocket View Post
    I'm not too concerned. I mean, there are over 77 million PSN users. That's a one in seventy-seven million chance that that hacker is going to screw you over with all your info. Even if he does have all of the information from the 77 million users, it'll take him a while to eventually get to you. Let's say he takes one day for every three accounts to screw them over. That's 25.7 million days to actually use everyone's information. I am not worried about my information, even in the slightest.
    Wasn't Anonymous behind this hack? If so, then there's not just one hacker to be worried about

    Besides, like I said, cyber criminals sell stolen credit card info.

    Driber.net | Forum Thumbnailer | Driber Wagon™ | RAWR! | TR Ancient Legends III - Lost Chambers | -- .- .-. .. . / .. ... / -.-. ..- - . :-)

  10. #10
    Quote Originally Posted by Driber View Post
    Wasn't Anonymous behind this hack? If so, then there's not just one hacker to be worried about
    Anonymous wasn't behind this hack. They would have said so otherwise, they've actually backed off on things that really connect to PSN, since it's not their goal to ruin PSN for us gamers. According to them, they are "on your[The gamers] side" They said that they were not behind this.
    signature image

  11. #11
    Join Date
    Jul 2009
    Posts
    3,055
    Quote Originally Posted by Rocket Propelled Rocket View Post
    I'm not too concerned. I mean, there are over 77 million PSN users. That's a one in seventy-seven million chance that that hacker is going to screw you over with all your info. Even if he does have all of the information from the 77 million users, it'll take him a while to eventually get to you. Let's say he takes one day for every three accounts to screw them over. That's 25.7 million days to actually use everyone's information. I am not worried about my information, even in the slightest.
    All it takes is one guy to sell your information to hundreds/ thousands of others. It will spread like wildfire trust me.

    Don't assume that your info is safe. EVER. Assume instead that your info is the first to be given away.
    PSN: Nemesis296
    XBL/GFWL: HyperN3mesis

  12. #12
    Join Date
    Apr 2001
    Location
    Mater Urbium
    Posts
    27,488
    Quote Originally Posted by Rocket Propelled Rocket View Post
    Anonymous wasn't behind this hack. They would have said so otherwise, they've actually backed off on things that really connect to PSN, since it's not their goal to ruin PSN for us gamers. According to them, they are "on your[The gamers] side" They said that they were not behind this.
    Ah right, my mistake. I probably confused it with their other attack on Sony for their legal actions against a PS3 modder

    None the less, it would be still very unwise to trust your password or possibly your credit card info is safe when they don't even know the basics of security...

    Driber.net | Forum Thumbnailer | Driber Wagon™ | RAWR! | TR Ancient Legends III - Lost Chambers | -- .- .-. .. . / .. ... / -.-. ..- - . :-)

  13. #13
    Join Date
    Jul 2002
    Posts
    1,953
    I worked for a company that supplied real estate data nation wide (USA). Every user account password was stored as unencrypted plain-text. Thankfully I'm not with them anymore.

    Even in a situation where a system has an "email me my password" function (not a great idea) you'd want to use some sort of hashing algorithm even if it's custom (so you can "unhash" it again, so to speak). But the best way is just to hash it with MD5 at the very least and have users reset their password if they forget it. I'm not sure how PSN works in that regard.

  14. #14
    All this start because of GeoHotz the same kid who hacked the iphone when it 1st came out hes even hacked the ipad and now the ps3 and also cause sony was giving consumers info...in the new user agreement there was a thing about sony letting out your information and ANONYMOUS sent them a letter stating that if they went through with this update they would act on it for violating players personal info...if you watch youtube vids they show alot of ANONYMOUS vids and they say there not attacking psn gamers there attacking sony only but theres also rumors that sony shut down the ps network themselves due to players using fake/stolen credit cards and making purshases off the store and when that happens sony has to repay that out of there pockets so who knows what the real truth is only time will tell

  15. #15
    The idiots have part of the FBI Cybercrimes Unit, 22 United States Attorney Generals, the United States Department of Homeland Security,and international law enforcement agencies gunning for them. I can't wait to see them pay.
    signature image

  16. #16
    Join Date
    Jan 2010
    Posts
    1,256
    It was overheard in some forum they're trying to sell the info for $100,000, lol. Sony is a few cards short of a full deck.
    XZX WAS HERE

  17. #17
    Join Date
    Jul 2009
    Posts
    3,055
    Apparently Sony has announced that everyone will get 30 days of PS+ for free, or an additional 30 days at no cost if you're already a subscriber. What I don't understand about this is that the PlayStation Store is not going to be operational when the network comes back online. How exactly is Sony going to justify giving 30 days of a service free that no one can use??
    PSN: Nemesis296
    XBL/GFWL: HyperN3mesis

  18. #18
    Join Date
    Apr 2001
    Location
    Mater Urbium
    Posts
    27,488
    batfan08, watch your language, please.

    Quote Originally Posted by Eddy Bones View Post
    Even in a situation where a system has an "email me my password" function (not a great idea)...
    Exactly. Even if passwords are somehow encrypted on a website's database, when a user requests his password via email, that is already very unsafe. Almost no one connects to their email provider via SSL, but rather a plain unsecured data connection.

    When you're on WIFI, it's incredibly easy for anyone to set up a laptop nearby, sniff your internet traffic and receive copies of the emails you receive while on WIFI.

    And apart from that, then you also have a copy of your password laying around in your email client on your computer, which often uses plain text to store email data.

    Sadly, a lot of people do not see the danger of this. You often even see people having Word documents with their passwords in their My Documents folder. Just a single visit of a malicious website can get a trojan horse on your pc which happily sends those Word documents to cyber criminals.

    I've even seen some people having JPG images of their scanned passport in their My Documents folder

    I myself never keep passwords on any computer that can access the internet. I keep all my passwords on a separate SD card, in case I would forget them. You'd have to physically break into my apartment to get to them. And even then, they are secured on the SD card with strong 256 bits AES encryption.

    Quote Originally Posted by Nemesis296 View Post
    Apparently Sony has announced that everyone will get 30 days of PS+ for free, or an additional 30 days at no cost if you're already a subscriber. What I don't understand about this is that the PlayStation Store is not going to be operational when the network comes back online. How exactly is Sony going to justify giving 30 days of a service free that no one can use??
    Well obviously that applies to when they fully restore their service. Still, a measly compensation, though.

    It's just waiting for the first class action lawsuit to appear...

    Driber.net | Forum Thumbnailer | Driber Wagon™ | RAWR! | TR Ancient Legends III - Lost Chambers | -- .- .-. .. . / .. ... / -.-. ..- - . :-)

  19. #19
    Join Date
    Dec 2001
    Location
    UK
    Posts
    1,295
    After all that, atleast it seems they can do something right (although I'm not 100% convinced) http://blog.eu.playstation.com/2011/...curity-update/

  20. #20
    Join Date
    Apr 2001
    Location
    Mater Urbium
    Posts
    27,488
    Well that's a relieve. Yeah, it could of course be BS, but his story sounds believable to me.

    Besides, I don't think they would even dare to make this up. If the hackers would show that the passwords were in plaintext format, Sony would have a big, big problem.

    At any case, it was at least very bad PR to indicate that the passwords were in the hands of hackers. Next to your credit card info, your password is the most sensitive information. I would make it crystal clear from the very start that passwords were stored hashed.

    Driber.net | Forum Thumbnailer | Driber Wagon™ | RAWR! | TR Ancient Legends III - Lost Chambers | -- .- .-. .. . / .. ... / -.-. ..- - . :-)

  21. #21
    PSN has been slow on informing us on what's actually going on right now. Currently, all I know is that they have a lot of outside security help, along with the FBI to track these intrusions. SOE has been recently hacked, and mostly effects countries outside the U.S.
    However, they have not informed the U.S. about this new intrusion. Can't a smart hacker get into a foreign data base and somehow work his way into the U.S. data base? Anyways..

    Sony is basically repeating itself to their customers, saying that PSN will be back up "..within a week." It has been around two weeks since they first stated that PSN will be back up "in a day or two."

    Sony isn't really customer friendly, as you can clearly see. Keeping information away from us, only to try to make up for it with the "I'm sorry" package. This will include a free download from the PSN store, depending on your region, a free thirty day subscription to PSNPlus, and a free thirty day subscription to the music thing they have on there.
    This is Sony's only attempt to please the customers, and try to keep them loyal to their system.

    All the customers want is PSN coming back up, and more updates about the intrusion. Is that so hard to provide?

    /End Rant.
    signature image

  22. #22
    Sorry about that,Driber. I fixed it up.
    signature image

  23. #23
    Join Date
    Jul 2009
    Posts
    3,055
    Quote Originally Posted by Rocket Propelled Rocket View Post
    Keeping information away from us, only to try to make up for it with the "I'm sorry" package. This will include a free download from the PSN store, depending on your region, a free thirty day subscription to PSNPlus, and a free thirty day subscription to the music thing they have on there.
    This is Sony's only attempt to please the customers, and try to keep them loyal to their system.
    And yet, while it's free, it's just a marketing ploy for them. I'm really kinda disappointed in Sony for this entire situation. They really don't seem to understand the fact that a lot of people are completely bitter about this situation and how they have handled it. As soon as they hinted that credit card data could have been obtained (which they reiterated numerous times so carefully in their notification e-mail I received last week), I immediately found out which card I use on PSN and cancelled it. The 'chance' is enough for me when it's announced by the company. Regardless of the fact they came back and said "oh thank god, the credit card data didn't get stolen"...I don't care. They hinted that it might have been, so I had to take action on my own part, and pay $10 for a new card. I guess my free month of PS+ will cover that, Sony?

    Speaking of the whole "free month of PS+" thing, I really don't like this idea. It doesn't really show that Sony is sorry, instead it says "here, we'll let you see what we give premium users; this can be yours if you pay after the first 30 days!!" It's just a ploy to pull more people into buying PS+, and I think that's really the wrong way to handle this situation. It's more like exploiting the customers than actually apologizing for the largest cyber security breach in history.

    The even more unfortunate thing is the fact that Sony will not go under because of this either. I know I will still buy their products and probably still download things of the PSN store. It's just a vicious cycle of marketing genius; all large companies are bound to do it unfortunately.

    I can't even imagine what the DCUO players are thinking right now. If I was paying $15/month and my game server was suddenly unavailable, I would be furious beyond belief unless they refunded my lost play time, which I'm sure they won't be doing.
    PSN: Nemesis296
    XBL/GFWL: HyperN3mesis

  24. #24
    Join Date
    May 2003
    Location
    Maryland, USA
    Posts
    7,649
    Actually, this is what the DCUO Sony server is planning on doing about that:

    First the PlayStation Network got hacked and shut down, and then, Sony Online Entertainment got hacked and shut down. These two things have guaranteed that DC Universe Online players have been unable to play the MMO as of late. That sucks, but the developers understand.

    That's why SOE has announced its "Make Good Plan." Folks affected by the outage will get 30-day subscription credit along with one day for each day DCUO was down. On top of that, every player gets a "Batman-inspired mask" for their in-game character.
    SOE did not specify a day to grab the content.

    "Please bear with us as the complexities of the subscription server dictate how and when this will be available along with pertinent details," SOE said in a statement. "We will be releasing more information this week. Thanks again for your patience!"

    This news comes hot on the heels of SOE announcing it was combining DC Universe Online servers.
    http://ps3.ign.com/articles/116/1165792p1.html

    I see IGN commenter are as grumpy and dissatisfied as ever with everything, complaining that they're only getting a "stupid mask." I guess they missed the whole 30 days free, plus every day back they lost when the servers were down bit.

    It's kind of true that no matter what Sony would do, though, it's not going to be enough. For an MMO subscription, all days returned plus 30 days free is a pretty damn good deal. For the regular PSN network deal, hey, 30 days free is a lot more than how long the thing was down for, so the complaints seem to me to be simply because nothing will ever be enough and the injury of it happening is still fresh. That's understandable, but again, what else can the company do but get things working again, make sure, hopefully, it never happens again, and offer some free user time to compensate?

    This is an objective observation from someone who doesn't own a PS3, therefore, does not deal with PSN network.

  25. #25
    chip5541 is offline Battlestations: Midway Lieutenant Commander
    Join Date
    Aug 2006
    Posts
    5,513
    30 days plus is nice to have. I could care less about the mask though since my characters are Edward Elric and King Bradley.

Page 1 of 4 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •