33,000 Unauthorized Login Attempts Highlight Password Recyling
If there’s one thing you don’t want to recycle, it’s passwords, as some EverQuest II players found recently out.
I think we’re all guilty of using the same login and password on many different sites such as e-mail, bank websites, and yes our SOE acounts. Recently, attempts were made by outsiders to login to some 33,000 SOE accounts using login and password credentials taken from other websites. SOE and PSN detected these login attempts and have pre-emptively disabled any accounts that matched the login/password credentials stolen from websites not affiliated with Sony. Note: This appears to be unrelated to this May’s SOE/PSN security breach.
But first, a message from the EQ2Wire The Sky is Not Falling So Keep Your Pants On Club:
This is NOT a security breach!
SOE has not been “hacked again”!
DON’T PANIC!
Without further ado, a message from Philip Reitinger, SVP and Chief Information Security Officer, Sony Group:
We want to let you know that we have detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment (“Networks”) services to test a massive set of sign-in IDs and passwords against our network database. These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources. In this case, given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks. We have taken steps to mitigate the activity.
Less than one tenth of one percent (0.1%) of our PSN, SEN and SOE audience may have been affected. There were approximately 93,000 accounts globally (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts’ valid sign-in IDs and passwords, and we have temporarily locked these accounts. Only a small fraction of these 93,000 accounts showed additional activity prior to being locked. We are currently reviewing those accounts for unauthorized access, and will provide more updates as we have them. Please note, if you have a credit card associated with your account, your credit card number is not at risk. We will work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet.
As a preventative measure, we are requiring secure password resets for those PSN/SEN accounts that had both a sign-in ID and password match through this attempt. If you are in the small group of PSN/SEN users who may have been affected, you will receive an email from us at the address associated with your account that will prompt you to reset your password.
Similarly, the SOE accounts that were matched have been temporarily turned off. If you are among the small group of affected SOE customers, you will receive an email from us at the address associated with your account that will advise you on next steps in order to validate your account credentials and have your account turned back on.
We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.
Tags: account security, security
Trackback from your site.
Comments (7)
Rhajiid
| #
It’s kinda funny: I have two accounts, one of them being locked (probably due to that) yesterday. That account has a) a unique name, that I do not use anywhere else; b) a unique password, that I do not use anywhere else; c) a strong password; d) login and password do not have any link/info to my person/game/chars, etc. … thank god those “other sources” where the attackers get their information from are anywhere, but not at all the SOE servers! 😀
Reply
bbdirge
| #
Same thing Rhajiid. My account has a unique name I do not use anywhere else and the pw is also unique. My pw was not guessed which is why my account was temporarily “locked” but not actually accessed. The ones that were accessed are still locked. Mine is not. But as I said, my pw and username are both absolutely 100% unique, only used for my EQ2 account. It is impossible the information was obtained somewhere else.
Reply
Aeyri
| #
Were either of you perhaps still using the same password for your EQ2 account that you were using before the security breach this past Spring?
If so, perhaps what happened is that some folks finally managed to get their hands on the data from that breach (and/or finally managed to break the password encryption algorithm) and decided to use it to mass attack accounts. The reason most of the attempts failed would then be because most people (including myself) switched to a completely different password after the attack.
If you are using a completely different password now than you were then, I’m not sure.
Reply
bbdirge
| #
Using a completely different password than I’ve ever used before. Not a pw I have used for any account. Until now I’ve never had any breeches into my account and from what Sony told me nobody actually got into my account this time it just got locked due to failed attempts to get into it. (from my understanding) What they told me could be incorrect. I’m concerned about the way they are describing this incident, making it sound as though the accounts affected were only those who use their username/pw in other places because it isn’t accurate as I can account for. My username/pw are absolutely unique to my sony account and I have never used either anywhere else. I can’t discount a possibility that the people who got hit might have something on their computers that somehow transmitted username and/or pw information on that way. I have ran virus/spyware searches on my computer just to be safe and it has a clean bill of health. I will say I am glad my account was simply locked until I contacted Sony to sort it out because to me that means their security is doing far better than it was doing in the spring. But the reports being sent out that the attacks came from another site that somehow got our usernames/pw is not truthful. I can’t say it came from Sony, but it can’t be discounted given that I for one have never used either of mine elsewhere. I really have no theories as to what could have happened but the report doesn’t fit how my information could have been accessed.
Reply
Claviarm
| #
@BBDirge: Well, you said that access to your account wasn’t gained, so that means someone tried your account name with some other password. Even though /you/ don’t use that account name anywhere else, some other guy might happen to have an account with that name somewhere, and if that site was breached and the data applied to EQ2, we’d see the results we’re seeing–someone attempted to log in to that account but didn’t have the right password.
So unless the account name is something unlikely to ever be used by anyone anywhere, this would line up with SOE’s story, wouldn’t it?
Reply
bbdirge
| #
It’s a made up word so I don’t know how likely it is someone else has it as an account name for something else (anything is possible)… I’m still at a loss. I’m not saying I’m perfect and untouchable, just saying that my username definitely wasn’t grabbed from me using it anywhere else. I hope they figure it out and that this doesn’t happen again. I am glad that (for what is seems is the majority of those affected) their accounts weren’t actually accessed due to the wrong passwords being used.
Reply
Froak
| #
pretty much every decent network is setup to detect massive failed login attempts and put a stop to it, even if this happened before they got hacked we would see the exact same outcome. sony is basicly trying to prove that their network is secure again – tho this is a very poor attempt at gaining access to accounts, whoever did this is fairly un-skilled – and people are blowing it way out of proportion. less than 1/10 of 1% – 00.1% of their accounts were attempted. who knows maybe sony did it themselfs to get some cred back? :p
Reply