From SOE’s Facebook page as of 4pm PDT (5 minutes ago):
Regrettably SOE services are still offline and will remain so the rest of the day. We are working as quickly as possible to resolve this issue and appreciate your patience.
Although SOE games and services remain offline, readers have noticed some curious changes.
Most obvious is that http://www.EverQuest2.com/ and http://www.SOE.com/ are no longer resolving correctly and presenting an error message. The secure version of https://www.SOE.com/ (notice the additional ‘s’) is however online and presenting the same updates we were provided with yesterday.
UPDATE: http://www.SOE.com is now resolving properly to https://www.SOE.com/.
As there has been no announcement from SOE about what the steps will be for users to change their passwords, login, secure their accounts, and start playing again (indeed SOE communication has been nothing short of atrocious — perhaps due to the stipulations of lawyers), it’s unclear what conclusions we should draw from some servers being accessible while others are not. Is this a sign that things are about to open back up, or just a sign that SOE platform aren’t properly securing websites in preparation for the service restoration?
Shabutie did some checks of the DNS information present on different SOE game websites (FreeRealms.com, EverQuest2.com, etc.) and has noticed that they no longer all point to SOE’s main website. This may indicate that things are opening up soon, but without confirmation from anyone at SOE, all we can do is guess.
Although Facebook and Twitter remain mum (their last update was 12 hours ago), maybe today’s the day? Although 4 days is not a terribly long outage considering the complexity of the security breach, the lack of communication has really exacerbated this and made the outage feel a lot longer than it has been. More as we have it…
When I first encountered this story, I had little interest in reporting it at all. A blogger, however well-intentioned, taking the ramblings of a few script kiddies in an IRC chatroom seriously and posting it as a “CNET Exclusive” seems hardly newsworthy. Journalistic integrity must have some minimum standard. We report things all the time which aren’t from SOE or a press release, but they have SOME basis in fact.
However the story that an attack is planned for this weekend seems to have gotten some traction and is now making the rounds and being quoted by larger news organizations as “reported by CNET”. So we feel we should address it. Erica Ogg, CNET blogger, has posted an article positing that a third attack on Sony services is being planned for this weekend.
A group of hackers says it is planning another wave of cyberattacks against Sony in retaliation for its handling of the PlayStation Network breach.
Her source?
An observer of the Internet Relay Chat channel used by the hackers told CNET today that a third major attack is planned this weekend against Sony’s Web site. The people involved plan to publicize all or some of the information they are able to copy from Sony’s servers, which could include customer names, credit card numbers, and addresses, according to the source. The hackers claim they currently have access to some of Sony’s servers.
Blogging without sources or attribution is just speculation and should be taken as such. The article reads as if the information has been confirmed with secondary sources. It hasn’t.
Howard Stringer, Sony Corp Chairman and CEO over America, has posted an apology letter and the first details of the Identity Theft protection package that will be provided for free to PlayStation Network customers. No word on if said protection will be made available to Sony Online Entertainment customers.
Dear Friends,
I know this has been a frustrating time for all of you.
Let me assure you that the resources of this company have been focused on investigating the entire nature and impact of the cyber-attack we’ve all experienced and on fixing it. We are absolutely dedicated to restoring full and safe service as soon as possible and rewarding you for your patience. We will settle for nothing less.
To date, there is no confirmed evidence any credit card or personal information has been misused, and we continue to monitor the situation closely. We are also moving ahead with plans to help protect our customers from identity theft around the world. A program for U.S. PlayStation Network and Qriocity customers that includes a $1 million identity theft insurance policy per user was launched earlier today and announcements for other regions will be coming soon.
.
.
In the coming days, we will restore service to the networks and welcome you back to the fun. I wanted to personally reach out and let you know that we are committed to serving you to the very best of our ability, protecting your information better than ever, and getting you back to what you signed up for – all the games and great entertainment experiences that you expect from Sony.
With best regards,
Howard Stringer
The details of the AllClear ID Plus identity theft package now available to PSN customers are available on the PlayStation Blog. As no Sony Online Entertainment customers in North America had their credit card information revealed, this service may not be available for SOE customers.
From Bloomberg.com:
Japan’s biggest consumer-electronics exporter will offer a $1 million insurance policy per user, covering legal expenses, identity-restoration costs and lost wages that occur after data is stolen, Sony said in a blog post. Austin, Texas-based Debix Inc. was hired to provide the monitoring service and similar programs for users in other countries are also being considered, it said.
Sony didn’t elaborate whether the program will cover identity theft that isn’t related to the mid-April breach of the PlayStation and Qriocity networks, which affected 77 million accounts. Separately, some 24.6 million users of the Sony Online Entertainment platform were also affected, the company said.
As posted on the Playstation Blog at May 5th at 4:30pm PDT:
Today our global network and security teams at Sony Network Entertainment and Sony Computer Entertainment began the final stages of internal testing of the new system, an important step towards restoring PlayStation Network and Qriocity services.
As previously mentioned, we’ve been working around the clock to rebuild the network and enhance protections of your personal data. It’s our top priority to ensure your data is safe when you begin using the services again.
We understand that many of you are eager to again enjoy the PlayStation Network and Qriocity entertainment services that you love, so we wanted you to be aware of this milestone and our progress. We will provide additional updates as soon as we can.
Note: It was pointed out that the article mentions nothing of SOE.
There’s only so much PSN, Anonymous, and Sony news I can post. I mean, what we really want to know is when OUR games and OUR network will be back online. But, if you just crave this type of information, or your enjoyment of your PS3 (when you’re not playing EQ2) has really been cramped by this debacle, well, here is some further reading:
UPDATE: Unreliable source used for PSN returning in Japan. PSN service has not been restored anywhere to date.
News is now trickling in that the PlayStation Network, down now for over 2 weeks, has been restored in Japan and headway is being made in bringing at least parts of the service (lacking most notably microtransactions and the PlayStation online store) back to Europe and North America. Unfortunately we have no further timetable on when Sony Online Entertainment services and games will be restored.
According to a completely unsubstantiated comment posted on a blog, there is now a timetable for the restoration of PSN service in Europe and North America:
UPDATE: Obviously this timetable was not correct, as these times have come and gone and Japan, Europe, North America, and Australia remain cut off from the PlayStation Network.
The first step of PSN restoration has been enabling users to change their passwords. It is unclear what credentials and guidelines are being used to ensure identification. We may see a similar situation for SOE, with a password change on a special website being required before we can access our accounts.
File this under pure speculative analysis, but Wired’s Threat Level has some thoughts on just who (and why) the PlayStation Network (and Sony Online Entertainment) were compromised and records pilfered. If you’d like a little more insight into the players, it’s worth a read:
It’s one of the biggest data breaches in history. Now that Sony has come clean — sort of — on a computer intrusion this month that exposed personal information on 77 million PlayStation Network users, one obvious question remains: Who pulled off the hack?
In the old days, the answer would be simple: some kid did it. But today’s underground is more complicated — a slew of competing players with different agendas and techniques. Here’s a quick rundown on the likely suspects.
They tackle Anonymous, China, the Recreational Hacker, and finally For-Profit Cyberthieves out of Eastern Europe or Russia. Continue at Wired
Some players have asked for updates every 12 hours from SOE, even if it’s just to report there has been no new progress. If this was you, well here you go with an SOE Facebook update from about 2 hours ago:
We regret that we were unable to bring services back online today, and continue to work hard on the issue!
This is from May 1st but due to some requests I’ve gotten about whether Sony will reimburse customers for any bank-related costs due to the security breach, I thought it was worth highlighting.
From FeedTheGamer:
In this morning’s news conference, Sony Computer Entertainment head Kazuo Hirai said the company would consider covering costs associated with reissuing credit cards to PlayStation Network subscribers who feel their accounts have been compromised by the massive data breach of April 20.
Hirai, noting that there have been no confirmed incidents in which fraud was committed with a credit card number stolen from the PSN breach, said the company has asked the FBI for a criminal investigation of the matter.
While there are 77 million accounts in the PlayStation Network, some are are held by the same household or person. Hirai said the owners of 10 million PSN accounts have been notified that their credit card information may have been compromised. However, the three-digit CVV number on the back of the card, required for purchases over the Internet, was definitely not compromised.
The replacement of a lost or stolen credit card is typically done for a customer for free, but to banks there is a cost of printing, processing and mailing the cards, plus a cost of lost business while the customer waits for a new one. Earlier in the week, news reports pegged the transactional costs of card replacement at between $3 and $5 per card. It’s unclear who Sony would compensate, if it does, or if enough cardholders will ditch their cards to make it an issue that banks complain about to Sony.
From Consumerist.com:
In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.
According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which “was unpatched and had no firewall installed.” The issue was “reported in an open forum monitored by Sony employees” two to three months prior to the recent security breaches, said Spafford.
After initially going on the record stating that Anonymous, the evangelist hacker group, had no involvement in the actual hack of the PlayStation Network (and by extension the SOE network), Sony have now pointed the finger for a different reason.
In a letter to congress, Sony has posited that the very disruptive flooding/attacks on Sony servers in retaliation for the George Hotz lawsuit was a sufficient distraction to leave a much larger window for hackers to enter Sony systems and leave undetected. Sony has suggested that had the coordinated denial-of-service attacks not happened, a compromise of their servers would have been more easily detected and possibly thwarted.
From BBCNews:
Sony has blamed the online vigilante group Anonymous for indirectly allowing the security breach that allowed a hacker to gain access to the personal data of more than 100m online gamers.
In a letter to the US Congress, Sony said the breach came at the same time as it was fighting a denial-of-service attack from Anonymous.
Denial-of-service attacks take servers down by overwhelming them with traffic.
The online vigilante group has denied being involved in the data theft.
Sony said that it had been the target of attacks from Anonymous because it had taken action against a hacker in a federal court in San Francisco.
Today, the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on “The Threat of Data Theft to American Consumers.”
Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, submitted written answers to questions posed by the subcommittee about the large-scale, criminal cyber-attack we have experienced. We wanted to share those answers with you.
Note that much of this information is generic to the PSN (SCEA) and SOE data breaches. Look for SOE and Sony Online Entertainment in the text of these letters if you wish to locate passages relevant to your game network.
SOE.com has been updated with a new Recent Updates section which answers a few questions, although there are few concrete answers at this point. Also, according to a Facebook update, the $10 discount on Fan Faire registration will be extended due to the service outage.
May 4, 2011
We want to thank you again for your patience as we work to get the SOE services back up and running. We received several questions and comments relating to the criminal attack to our network and would like to address some of the most common questions today. We are also going to continue to post updates to this website with new information as they become available.
We appreciate your continued patience and feedback.
Thank you,
Sony Online Entertainment
From MSNBC.com:
A U.S. House of Representatives subcommittee is demanding answers from Sony after private information from some 102 million personal accounts was taken by hackers.
In a letter written by the Congressional Subcommittee on Commerce, Manufacturing and Trade and addressed to Sony chairman Kazuo Hirai, representatives asked the company to answer a list of 13 questions related to the hacking of Sony’s PlayStation Network.
The Congressional committee has demanded answers about the PlayStation Network breach only perhaps because news of the Sony Online Entertainment breach wasn’t released until Monday afternoon.
From SignOnSanDiego.com, the website of the San Diego Union-Tribune newspaper.
Customers of San Diego-based Sony Online Entertainment must watch out for “spear phishing” scams after a hacker may have gained access to personal information on 24.6 million accounts, including email addresses and passwords.
Privacy experts say cyber criminals could have enough information to send highly customized emails or postal letters — or make phone calls — that will appear to come from Sony in hopes of tricking customers into revealing more sensitive information — such as credit card or Social Security numbers.
Sony Online Entertainment urged its customers to be “especially aware” of these scams. “Sony will not contact you in any way, including email, asking for your credit card number, Social Security number or other personal information,” the company said in a letter to customers posted on its Web site. “If you are asked for this information, you can be confident Sony is not the entity asking.”
Sony Online Entertainment, which makes video games such as the EverQuest series that users play online, abruptly shut down its network on Monday after the breach was discovered. The breach did not expose customer credit card numbers in the U.S. But it did possibly reveal names, addresses, email, birth dates, gender, phone numbers, login names and passwords.
The PlayStation network breach came from an attack on a data center in San Diego. Taina Rodriguez, a Sony Online Entertainment spokeswoman, declined to say if PlayStation and Sony Online Entertainment shared the same data center.
“Our servers are different from the PSN servers,” she said. “We are operated separately. But since we’re both under the Sony umbrella, there is a degree of architecture that overlaps.”
Rodriguez added that Sony Online Entertainment’s network would be shut down until Friday and possibly longer. The company has contacted the FBI to investigate the attack.
From MSNBC.com:
Sony has hired outside investigators to help clean its networks and catch the people behind a massive breach that exposed the personal data of more than 100 million video game users.
The Japanese electronics giant has retained a team from privately held Data Forte that is led by a former special agent with the U.S. Naval Criminal Investigative Service to work alongside the FBI agents, who are also probing the matter.
Sony said on Tuesday that it has also brought on cyber-security detectives from Guidance Software and consultants from Robert Half International Inc.’s subsidiary Protiviti to help with the clean-up.
A Toronto law firm on Tuesday launched a C$1 billion ($1.05 billion) proposed class-action suit against Sony for breach of privacy, naming a 21-year-old PlayStation user from Mississauga, Ontario, as lead plaintiff. The damages would cover the cost of credit monitoring services and fraud insurance for two years, the firm, McPhadden Samac Tuovi LLP, said in a statement.
From SOE Facebook:
Hey folks, in response to many inquiries, we wanted to reassure you that all of your characters and items are safe and awaiting your return. We continue to work on the issues as fast as we can, but unfortunately the servers will not come up today. Thank you for your continued patience; we expect to be back up very soon.
Barring any unforeseen circumstances, the Jethal Silverwing Show and EQ2’s Day podcasts are expected to run on-schedule tonight and should no doubt bring to bear some interesting discussion about the latest turn of events at SOE causing what could be a protracted downtime for EQ2 and related games.
EQ2’s Day seems to be at 4pm-6pm Pacific (this could be clearer on the website), with Jethal’s show starting at 7pm. Last night’s Down Range already tackled the security compromises and you can listen to that podcast as well. These podcasts are hosted at OnlineGamingRadio.
Also, although it was drowned out by two other major news stories (one being the SOE compromise), the other surprising news tip was that OnlineGamingRadio will be launching a new Podcast with Christine “Kiara” Renzetti and Alan “Brenlo” Crosby formerly EQ2 Community Manager and EQ2 Senior Producer, covering competing MMO “Rift” by Trion Studios.
Incidentally, EQ2Talk is an independent biweekly podcast by Dellmon and Aliscious. They’re not scheduled to do a program this week, but if this changes, we’ll be sure to announce that as well.
SOE’s Facebook Update as of 30 minutes ago is brief and to the point:
We’re working as hard as we can to get the servers up as soon as possible, but have no ETA at this time.
SOE Customers have started to report receiving e-mails from unscrupulous individuals attempting to lure frustrated players to websites which look and feel like official SOE customer portals to try to acquire additional login credentials and credit card information.
Please check the sender of these e-mails and further watch the addresses linked in any suspicious e-mail. When in doubt, go to http://www.SOE.com/ and disregard any links provided in outgoing e-mails.
There is currently no “action” that players can take other than to wait-and-see how SOE and Sony addresss the current crisis.
UPDATE: SOE’s website has been updated with the following message:
These emails will be sent by Innovyx, our third party email distributor, and will contain either ‘soe.innovyx.net’ or ‘soe.sony.com’ in the sender field.
With yesterday’s news of all SOE customer records (excluding all but a few credit card details) falling into the hands of hackers, there have been wild predictions of just how long it will take until things get sorted out and SOE games, websites, and forums come back online.
The PlayStation Network, which powers online play and updates for the PlayStation 3 and PlayStation Portable (especially the PSP Go which has no game slot), has been offline now for 13 days and yesterday’s press release suggests that some features will be online this week but the entire PSN service won’t be restored until the end of May.
So how long do you think it will be until at least enough SOE services are restored that we can play EverQuest 2 again? It is our understanding that SOE is working with outside security contractors which may add additional time to such a process.
Click to View Poll Results (Updated May 9th 7am PDT):
First, some comments from SOE President John Smedley:
It’s been a rough day. We hope to be up soon, but we aren’t ready to announce just yet.
It can’t get any worse than today! I’m sorry the service is down. I really am.
Regarding if the forums will be down for tonight:
Unfortunately yes. I wish they were because we can’t really communicate with our players right now in a good way except on Facebook. It’s frustrating. But the account system is linked to the forums.
and when EQ2 ZAM contacted him:
We shot off a quick e-mail to John “Smed” Smedley, president of Sony Online Entertainment, asking if the servers would be back up tonight. He quickly replied with, “They won’t be up tonight unfortunately.”
If the PlayStation Network situation (13 days and still down) is any indication, it could be days before SOE games are back online.
Ok not really, but folks, PLEASE be at least polite when calling SOE Customer Service.
They didn’t setup the servers. They didn’t write the software or security protocols of the servers. They are not wearing shoulderpads or other protective armor. Their only line of defense is the press release you ALREADY read in your e-mail about this situation. So if you decide to ring up SOE to ask what’s going on, please realize they have a limited script to read from, and won’t be able to magically get the servers back up and running.
If you want to express your displeasure with SOE’s handling of this situation, or failure to secure their systems, there are plenty of venues, including the SOE Facebook site.
Today’s news that the SOE Customer Database has been stolen has continued to break around the Web from the BBC to Reuters to Nikkei news in Japan.
We have news from: