PSN back online after data breach. You must change passwords [see post 1]

[Kymmy]

http://www.bbc.co.uk/news/technology-13169518

Quote:

Millions of gamers are unable to play online as the Playstation Network remains unavailable.

Users are seeing error messages stating the network is "undergoing maintenance" or is "suspended".

In a blog post, makers Sony thanked users for their patience but warned the downtime - which has so far lasted more than 20 hours - could continue for "a day or two".

-------------------------

EDIT (Matt D)

I thought I'd add some links & a summary to the first post (sorry for editing your post, Kymmy ).

THE GREAT PSN DATA BREACH

The PlayStation Network (PSN) has suffered an "illegal and unauthorized intrusion", which has resulted in the personal information of all PSN account holders being compromised.

Sony has shut the network down while it investigates the breach (including using an "outside, recognized security firm") and attempts to strengthen and re-build the network.

Personal information which Sony definitely believes has been obtained by an unauthorised person: Name, Address (city, state, zip), Country, Email Address, Birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID.

Personal information which Sony believes may have been obtained: Profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers.

Credit Card information: Although there is not yet any evidence that credit card information has been obtained, Sony says that it "cannot rule out the possibility" and that your card number and expiry date may have been obtained (but not the security code).

The credit card table was encrypted, however the personal data table was not.

If you used the same password on any other sites/services as you use on PSN, then you should change the password for those other sites/services as soon as possible.

If you had a credit or debit card attached to your PSN account, then you should at the very least pay close attention to it and look for any suspicious activity, just in case. If you notice any suspicious transactions, then phone your bank / card provider's fraud line at once.

If don't notice anything but you are still worried about it, then phone your bank or card provider and ask for the card to be cancelled and replaced with a new card due to potential fraud from the PSN data breach.

However, Sony is apparently going to be passing card numbers on to Financial Fraud Action (FFA), which will then pass them on to the relevant banks and card providers, so your card should hopefully be cancelled automatically if Sony believes it was at risk.

If you are worried about the increased possibility of ID theft or credit fraud, due to the personal information which has been stolen (name, address, DOB, etc.), then you can request "Protective Registration" from CIFAS (the UK's Fraud Prevention Service). This costs £12 + VAT, and means a "CIFAS warning flag marked Protective Registration will then be placed on the CIFAS National Fraud Database against your name and personal details to indicate that you have been recorded at your own request for your protection". If any credit or certain other services are then applied for in your name, the warning flag tells CIFAS member organisations to be extra vigilant and undertake extra checks to ensure that the application is genuine. The CIFAS flag lasts for one year. An FAQ is here: http://www.cifas.org.uk/pr_faqs


Official updates from the PlayStation Blog:

These are what Sony has said so far, and include various bits of info on what has happened.

26th April - Update on PlayStation Network and Qriocity

27th April - Q&A #1

28th April - Q&A #2

"1st May - Some PlayStation Network And Qriocity Services To Be Available This Week"

Quote:

Originally Posted by Sony

SOME PLAYSTATION NETWORK AND QRIOCITY SERVICES TO BE AVAILABLE THIS WEEK

Phased Global Rollout of Services to Begin Regionally; System Security Enhanced to Provide Greater Protection of Personal Information.

Tokyo, May 1, 2011 – Sony Computer Entertainment (SCE) and Sony Network Entertainment International (SNEI, the company) announced they will shortly begin a phased restoration by region of PlayStation®Network and Qriocity™ services, beginning with gaming, music and video services to be turned on. The company also announced both a series of immediate steps to enhance security across the network and a new customer appreciation program to thank its customers for their patience and loyalty.

Following a criminal cyber-attack on the company’s data-center located in San Diego, California, U.S.A., SNEI quickly turned off the PlayStation Network and Qriocity services, engaged multiple expert information security firms over the course of several days and conducted an extensive audit of the system. Since then, the company has implemented a variety of new security measures to provide greater protection of personal information. SNEI and its third-party experts have conducted extensive tests to verify the security strength of the PlayStation Network and Qriocity services. With these measures in place, SCE and SNEI plan to start a phased rollout by region of the services shortly. The initial phase of the rollout will include, but is not limited to, the following:

• Restoration of Online game-play across the PlayStation®3 (PS3) and PSP® (PlayStation®Portable) systems
• This includes titles requiring online verification and downloaded games
• Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers
• Access to account management and password reset
• Access to download un-expired Movie Rentals on PS3, PSP and MediaGo
• PlayStation®Home
• Friends List
• Chat Functionality

Working closely with several outside security firms, the company has implemented significant security measures to further detect unauthorized activity and provide consumers with greater protection of their personal information. The company is also creating the position of Chief Information Security Officer, directly reporting to Shinji Hasejima, Chief Information Officer of Sony Corporation, to add a new position of expertise in and accountability for customer data protection and supplement existing information security personnel. The new security measures implemented include, but are not limited to, the following:

• Added automated software monitoring and configuration management to help defend against new attacks
• Enhanced levels of data protection and encryption
• Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns
• Implementation of additional firewalls

The company also expedited an already planned move of the system to a new data center in a different location that has been under construction and development for several months. In addition, PS3 will have a forced system software update that will require all registered PlayStation Network users to change their account passwords before being able to sign into the service. As an added layer of security, that password can only be changed on the same PS3 in which that account was activated, or through validated email confirmation, a critical step to help further protect customer data.

The company is conducting a thorough and on-going investigation and working with law enforcement to track down and prosecute those responsible for the illegal intrusion.

“This criminal act against our network had a significant impact not only on our consumers, but our entire industry. These illegal attacks obviously highlight the widespread problem with cyber-security. We take the security of our consumers’ information very seriously and are committed to helping our consumers protect their personal data. In addition, the organization has worked around the clock to bring these services back online, and are doing so only after we had verified increased levels of security across our networks,” said Kazuo Hirai, Executive Deputy President, Sony Corporation. “Our global audience of PlayStation Network and Qriocity consumers was disrupted. We have learned lessons along the way about the valued relationship with our consumers, and to that end, we will be launching a customer appreciation program for registered consumers as a way of expressing our gratitude for their loyalty during this network downtime, as we work even harder to restore and regain their trust in us and our services.”

Complimentary Offering and “Welcome Back” Appreciation Program

While there is no evidence at this time that credit card data was taken, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.

The company will also rollout the PlayStation Network and Qriocity “Welcome Back” program, to be offered worldwide, which will be tailored to specific markets to provide our consumers with a selection of service options and premium content as an expression of the company’s appreciation for their patience, support and continued loyalty.

• Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
• All existing PlayStation Network customers will be provided with 30 days free membership in the PlayStation Plus premium service. Current members of PlayStation Plus will receive 30 days free service.
• Music Unlimited powered by Qriocity subscribers (in countries where the service is available) will receive 30 days free service.

Additional “Welcome Back” entertainment and service offerings will be rolled out over the coming weeks as the company returns the PlayStation Network and Qriocity services to the quality standard users have grown to enjoy and strive to exceed those exceptions.

SNEI will continue to reinforce and verify security for transactions before resuming the PlayStation®Store and other Qriocity operations, scheduled for this month.

For more information about the PlayStation Network and Qriocity services intrusion and restoration, please visit http://blog.us.playstation.com or http://blog.eu.playstation.com/

"4th May - Sony’s Response to the U.S. House of Representatives"

15th May - Phased restoration has begun.

PS3 system software version 3.61 is now available, via the PS3 directly or the PlayStation website.

This version will force you to change your PSN password, once PSN is back up.

"PlayStation Network Restoration Begins"

Quote:

Originally Posted by PlayStation.com

Sony Computer Entertainment introduces increased security measures ahead of PSN service restoration.

Sony Computer Entertainment (SCE) and Sony Network Entertainment International (SNEI, the company) will today begin a phased restoration by region of PlayStation Network and Qriocity services. The phased restoration will be on a country by country basis beginning in the Americas, Europe, Australia, New Zealand and the Middle East.

The first phase of restored services for North America and Europe will include:

Sign-in for PlayStation Network and Qriocity services, including the resetting of passwords.

Restoration of online gameplay across PlayStation 3 and PSP.

Playback rental video content, if within rental period, of PlayStation Store Video Store on PS3, PSP and Media Go.

Q Music Unlimited, for current subscribers, on PS3 and PC.

Access to third party services such as VidZone and MUBI.

'Friends' category on PS3, including Friends List, Chat Functionality, Trophy Comparison, etc.

PlayStation Home.

Update: PSN is now back online in the UK. The first time you try to log in, with firmware 3.61, you will be forced to change your password. Full restoration of PSN services (e.g .PSN Store) won't be complete until the end of May.

Other links:

"MoneySavingExpert - PlayStation users' data stolen in hack: what should you do?"

Statement from the Information Commissioner's Office

Quote:

Originally Posted by ICO

27 April 2011

Response to data breach involving Sony’s PlayStation Network

An ICO spokesperson said:

The Information Commissioner’s Office takes data protection breaches extremely seriously. Any business or organisation that is processing personal information in the UK must ensure they comply with the law, including the need to keep data secure.
We have recently been informed of an incident which appears to involve Sony. We have contacted Sony and will be making further enquiries to establish the precise nature of the incident before deciding what action, if any, needs to be taken by this office.

Possibly another update coming to stop the CFW's with certain patches playing online perhaps

[Ravenheart]

Update from Sony this morning

“An external intrusion on our system has affected our PlayStation Network and Qriocity services, In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th.”

Source

No ETA on it being resolved.

Ha ha sounds like its that group using the name "anonymous" who has threatened to disrupt Sony as much as they can

[adzii_nufc]

They should try hacking something bigger than Sony, Maybe the US government

They wont be so Anonymous anymore

[craigj2k12]

if you look at the anonymous website, they have a big image saying "it wasnt us!"

im sure they would admit it, if it was them

It could be Sony subterfuge trying to get public opinion onside.

At the end of the day half the scene wouldnt have been interested in hacking the system if they didnt remove the linux options. The only defense Sony has now is PSN.

I have stayed on 3.41 and a Jailbreak dongle myself but if and when 3.56 and above gets a CFW I may well update but PSN I aint bothered about anyway

[dilli-theclaw]

Another update.

http://arstechnica.com/gaming/news/2...ta-is-safe.ars

[Graham M]

Grrr I just bought a new PS3 today and am transferring the data over, just hope I can disable the stuff on the old console after the transfer without any ill effects. Any ideas?

[wwe]

Hope they get it back on soon.

[DABhand]

It's not by anonymous, it's a chinese group who are not happy that their Jailbreak/CRC encryption God has been told no by Sony lawyers :P

I also expect them to update PSN to detect firmware changes and disable any USB bootup access.

[Tezcatlipoca]

Time to change passwords & keep an eye on the credit card? ...

http://blog.us.playstation.com/2011/...-and-qriocity/

Quote:

Originally Posted by PS Blog

Posted by Patrick Seybold // Sr. Director, Corporate Communications & Social Media

Thank you for your patience while we work to resolve the current outage of PlayStation Network & Qriocity services. We are currently working to send a similar message to the one below via email to all of our registered account holders regarding a compromise of personal information as a result of an illegal intrusion on our systems. These malicious actions have also had an impact on your ability to enjoy the services provided by PlayStation Network and Qriocity including online gaming and online access to music, movies, sports and TV shows. We have a clear path to have PlayStation Network and Qriocity systems back online, and expect to restore some services within a week.

We’re working day and night to ensure it is done as quickly as possible. We appreciate your patience and feedback.

Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

Temporarily turned off PlayStation Network and Qriocity services;
Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

(snip)

That must mean they were storing passwords in the clear, i.e no hashing, utterly useless morons. That really is amateur hour.

[Stephen]

I always knew the psn was poor and it's now confirmed. Sony are totally useless.

[PeteLockwood]

only psn, who cares ? if it was xbox live it would be the end of the world!!!