Posts Tagged ‘compromised accounts’
Although we are unsurprised — restoration of services even by the end of the week now seems unlikely — we bring you the latest news from SOE’s Facebook page as of May 9, 1:55 p.m. PDT:
SOE services will remain offline today. We continue to work diligently to bring things back as quickly as possible and appreciate your continued patience.
From Bloomberg.com comes an article posted today (May 9, 2011):
Sony Corp. (6758)’s PlayStation Network and Qriocity online services remain shut as of today, Shigenori Yoshida, a Tokyo-based spokesman said. Sony is uncertain when it can resume the services, Yoshida said by phone today.
The company is in the process of adopting an improved security system and its plan to restart the services fully by May 31 is unchanged, he said. Sony shut down the PlayStation Network and Qriocity services April 20 because of possible data theft by hackers.
The maker of PS consoles had planned to restart partial operations within a week after boosting the level of security system, the company said May 1.
Note: We erroneously reported that PSN service had been restored in Japan based on an ill-informed blog. To date, PlayStation Network remains inaccessible in Japan, Europe, Oceania, and the US now over 17 days since it was taken offline.
Meanwhile we’re just coming up on 7 days that Sony Online Entertainment has seen all of their games, websites, forums, and services offline and there has been no word on their possible return date.
Although SOE games and services remain offline, readers have noticed some curious changes.
Most obvious is that http://www.EverQuest2.com/ and http://www.SOE.com/ are no longer resolving correctly and presenting an error message. The secure version of https://www.SOE.com/ (notice the additional ‘s’) is however online and presenting the same updates we were provided with yesterday.
As there has been no announcement from SOE about what the steps will be for users to change their passwords, login, secure their accounts, and start playing again (indeed SOE communication has been nothing short of atrocious — perhaps due to the stipulations of lawyers), it’s unclear what conclusions we should draw from some servers being accessible while others are not. Is this a sign that things are about to open back up, or just a sign that SOE platform aren’t properly securing websites in preparation for the service restoration?
Shabutie did some checks of the DNS information present on different SOE game websites (FreeRealms.com, EverQuest2.com, etc.) and has noticed that they no longer all point to SOE’s main website. This may indicate that things are opening up soon, but without confirmation from anyone at SOE, all we can do is guess.
Although Facebook and Twitter remain mum (their last update was 12 hours ago), maybe today’s the day? Although 4 days is not a terribly long outage considering the complexity of the security breach, the lack of communication has really exacerbated this and made the outage feel a lot longer than it has been. More as we have it…
Howard Stringer, Sony Corp Chairman and CEO over America, has posted an apology letter and the first details of the Identity Theft protection package that will be provided for free to PlayStation Network customers. No word on if said protection will be made available to Sony Online Entertainment customers.
I know this has been a frustrating time for all of you.
Let me assure you that the resources of this company have been focused on investigating the entire nature and impact of the cyber-attack we’ve all experienced and on fixing it. We are absolutely dedicated to restoring full and safe service as soon as possible and rewarding you for your patience. We will settle for nothing less.
To date, there is no confirmed evidence any credit card or personal information has been misused, and we continue to monitor the situation closely. We are also moving ahead with plans to help protect our customers from identity theft around the world. A program for U.S. PlayStation Network and Qriocity customers that includes a $1 million identity theft insurance policy per user was launched earlier today and announcements for other regions will be coming soon.
In the coming days, we will restore service to the networks and welcome you back to the fun. I wanted to personally reach out and let you know that we are committed to serving you to the very best of our ability, protecting your information better than ever, and getting you back to what you signed up for – all the games and great entertainment experiences that you expect from Sony.
With best regards,
The details of the AllClear ID Plus identity theft package now available to PSN customers are available on the PlayStation Blog. As no Sony Online Entertainment customers in North America had their credit card information revealed, this service may not be available for SOE customers.
Japan’s biggest consumer-electronics exporter will offer a $1 million insurance policy per user, covering legal expenses, identity-restoration costs and lost wages that occur after data is stolen, Sony said in a blog post. Austin, Texas-based Debix Inc. was hired to provide the monitoring service and similar programs for users in other countries are also being considered, it said.
Sony didn’t elaborate whether the program will cover identity theft that isn’t related to the mid-April breach of the PlayStation and Qriocity networks, which affected 77 million accounts. Separately, some 24.6 million users of the Sony Online Entertainment platform were also affected, the company said.
As posted on the Playstation Blog at May 5th at 4:30pm PDT:
Today our global network and security teams at Sony Network Entertainment and Sony Computer Entertainment began the final stages of internal testing of the new system, an important step towards restoring PlayStation Network and Qriocity services.
As previously mentioned, we’ve been working around the clock to rebuild the network and enhance protections of your personal data. It’s our top priority to ensure your data is safe when you begin using the services again.
We understand that many of you are eager to again enjoy the PlayStation Network and Qriocity entertainment services that you love, so we wanted you to be aware of this milestone and our progress. We will provide additional updates as soon as we can.
Note: It was pointed out that the article mentions nothing of SOE.
There’s only so much PSN, Anonymous, and Sony news I can post. I mean, what we really want to know is when OUR games and OUR network will be back online. But, if you just crave this type of information, or your enjoyment of your PS3 (when you’re not playing EQ2) has really been cramped by this debacle, well, here is some further reading:
UPDATE: Unreliable source used for PSN returning in Japan. PSN service has not been restored anywhere to date.
News is now trickling in that the PlayStation Network, down now for over 2 weeks, has been restored in Japan and headway is being made in bringing at least parts of the service (lacking most notably microtransactions and the PlayStation online store) back to Europe and North America. Unfortunately we have no further timetable on when Sony Online Entertainment services and games will be restored.
According to a completely unsubstantiated comment posted on a blog, there is now a timetable for the restoration of PSN service in Europe and North America:
- North/East Asia – Tuesday May 3rd (22.00)
- Europe_ – Wednesday May 4th (22.00)
- USA – Thursday May 5th (08.00)
- AUS – Thursday May 5th (14.00)
UPDATE: Obviously this timetable was not correct, as these times have come and gone and Japan, Europe, North America, and Australia remain cut off from the PlayStation Network.
The first step of PSN restoration has been enabling users to change their passwords. It is unclear what credentials and guidelines are being used to ensure identification. We may see a similar situation for SOE, with a password change on a special website being required before we can access our accounts.
File this under pure speculative analysis, but Wired’s Threat Level has some thoughts on just who (and why) the PlayStation Network (and Sony Online Entertainment) were compromised and records pilfered. If you’d like a little more insight into the players, it’s worth a read:
It’s one of the biggest data breaches in history. Now that Sony has come clean — sort of — on a computer intrusion this month that exposed personal information on 77 million PlayStation Network users, one obvious question remains: Who pulled off the hack?
In the old days, the answer would be simple: some kid did it. But today’s underground is more complicated — a slew of competing players with different agendas and techniques. Here’s a quick rundown on the likely suspects.
They tackle Anonymous, China, the Recreational Hacker, and finally For-Profit Cyberthieves out of Eastern Europe or Russia. Continue at Wired
Some players have asked for updates every 12 hours from SOE, even if it’s just to report there has been no new progress. If this was you, well here you go with an SOE Facebook update from about 2 hours ago:
We regret that we were unable to bring services back online today, and continue to work hard on the issue!
This is from May 1st but due to some requests I’ve gotten about whether Sony will reimburse customers for any bank-related costs due to the security breach, I thought it was worth highlighting.
In this morning’s news conference, Sony Computer Entertainment head Kazuo Hirai said the company would consider covering costs associated with reissuing credit cards to PlayStation Network subscribers who feel their accounts have been compromised by the massive data breach of April 20.
Hirai, noting that there have been no confirmed incidents in which fraud was committed with a credit card number stolen from the PSN breach, said the company has asked the FBI for a criminal investigation of the matter.
While there are 77 million accounts in the PlayStation Network, some are are held by the same household or person. Hirai said the owners of 10 million PSN accounts have been notified that their credit card information may have been compromised. However, the three-digit CVV number on the back of the card, required for purchases over the Internet, was definitely not compromised.
The replacement of a lost or stolen credit card is typically done for a customer for free, but to banks there is a cost of printing, processing and mailing the cards, plus a cost of lost business while the customer waits for a new one. Earlier in the week, news reports pegged the transactional costs of card replacement at between $3 and $5 per card. It’s unclear who Sony would compensate, if it does, or if enough cardholders will ditch their cards to make it an issue that banks complain about to Sony.
In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.
According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which “was unpatched and had no firewall installed.” The issue was “reported in an open forum monitored by Sony employees” two to three months prior to the recent security breaches, said Spafford.
After initially going on the record stating that Anonymous, the evangelist hacker group, had no involvement in the actual hack of the PlayStation Network (and by extension the SOE network), Sony have now pointed the finger for a different reason.
In a letter to congress, Sony has posited that the very disruptive flooding/attacks on Sony servers in retaliation for the George Hotz lawsuit was a sufficient distraction to leave a much larger window for hackers to enter Sony systems and leave undetected. Sony has suggested that had the coordinated denial-of-service attacks not happened, a compromise of their servers would have been more easily detected and possibly thwarted.
Sony has blamed the online vigilante group Anonymous for indirectly allowing the security breach that allowed a hacker to gain access to the personal data of more than 100m online gamers.
In a letter to the US Congress, Sony said the breach came at the same time as it was fighting a denial-of-service attack from Anonymous.
Denial-of-service attacks take servers down by overwhelming them with traffic.
The online vigilante group has denied being involved in the data theft.
Sony said that it had been the target of attacks from Anonymous because it had taken action against a hacker in a federal court in San Francisco.
Today, the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on “The Threat of Data Theft to American Consumers.”
Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, submitted written answers to questions posed by the subcommittee about the large-scale, criminal cyber-attack we have experienced. We wanted to share those answers with you.
- Complete 8 page written response (click here) on Flickr
- Summary on PlayStation Blog (click here)
Note that much of this information is generic to the PSN (SCEA) and SOE data breaches. Look for SOE and Sony Online Entertainment in the text of these letters if you wish to locate passages relevant to your game network.
SOE.com has been updated with a new Recent Updates section which answers a few questions, although there are few concrete answers at this point. Also, according to a Facebook update, the $10 discount on Fan Faire registration will be extended due to the service outage.
May 4, 2011
We want to thank you again for your patience as we work to get the SOE services back up and running. We received several questions and comments relating to the criminal attack to our network and would like to address some of the most common questions today. We are also going to continue to post updates to this website with new information as they become available.
We appreciate your continued patience and feedback.
Sony Online Entertainment
A U.S. House of Representatives subcommittee is demanding answers from Sony after private information from some 102 million personal accounts was taken by hackers.
In a letter written by the Congressional Subcommittee on Commerce, Manufacturing and Trade and addressed to Sony chairman Kazuo Hirai, representatives asked the company to answer a list of 13 questions related to the hacking of Sony’s PlayStation Network.
The Congressional committee has demanded answers about the PlayStation Network breach only perhaps because news of the Sony Online Entertainment breach wasn’t released until Monday afternoon.
From SignOnSanDiego.com, the website of the San Diego Union-Tribune newspaper.
Customers of San Diego-based Sony Online Entertainment must watch out for “spear phishing” scams after a hacker may have gained access to personal information on 24.6 million accounts, including email addresses and passwords.
Privacy experts say cyber criminals could have enough information to send highly customized emails or postal letters — or make phone calls — that will appear to come from Sony in hopes of tricking customers into revealing more sensitive information — such as credit card or Social Security numbers.
Sony Online Entertainment urged its customers to be “especially aware” of these scams. “Sony will not contact you in any way, including email, asking for your credit card number, Social Security number or other personal information,” the company said in a letter to customers posted on its Web site. “If you are asked for this information, you can be confident Sony is not the entity asking.”
Sony Online Entertainment, which makes video games such as the EverQuest series that users play online, abruptly shut down its network on Monday after the breach was discovered. The breach did not expose customer credit card numbers in the U.S. But it did possibly reveal names, addresses, email, birth dates, gender, phone numbers, login names and passwords.
The PlayStation network breach came from an attack on a data center in San Diego. Taina Rodriguez, a Sony Online Entertainment spokeswoman, declined to say if PlayStation and Sony Online Entertainment shared the same data center.
“Our servers are different from the PSN servers,” she said. “We are operated separately. But since we’re both under the Sony umbrella, there is a degree of architecture that overlaps.”
Rodriguez added that Sony Online Entertainment’s network would be shut down until Friday and possibly longer. The company has contacted the FBI to investigate the attack.
Sony has hired outside investigators to help clean its networks and catch the people behind a massive breach that exposed the personal data of more than 100 million video game users.
The Japanese electronics giant has retained a team from privately held Data Forte that is led by a former special agent with the U.S. Naval Criminal Investigative Service to work alongside the FBI agents, who are also probing the matter.
Sony said on Tuesday that it has also brought on cyber-security detectives from Guidance Software and consultants from Robert Half International Inc.’s subsidiary Protiviti to help with the clean-up.
A Toronto law firm on Tuesday launched a C$1 billion ($1.05 billion) proposed class-action suit against Sony for breach of privacy, naming a 21-year-old PlayStation user from Mississauga, Ontario, as lead plaintiff. The damages would cover the cost of credit monitoring services and fraud insurance for two years, the firm, McPhadden Samac Tuovi LLP, said in a statement.
From SOE Facebook:
Hey folks, in response to many inquiries, we wanted to reassure you that all of your characters and items are safe and awaiting your return. We continue to work on the issues as fast as we can, but unfortunately the servers will not come up today. Thank you for your continued patience; we expect to be back up very soon.
Barring any unforeseen circumstances, the Jethal Silverwing Show and EQ2’s Day podcasts are expected to run on-schedule tonight and should no doubt bring to bear some interesting discussion about the latest turn of events at SOE causing what could be a protracted downtime for EQ2 and related games.
EQ2’s Day seems to be at 4pm-6pm Pacific (this could be clearer on the website), with Jethal’s show starting at 7pm. Last night’s Down Range already tackled the security compromises and you can listen to that podcast as well. These podcasts are hosted at OnlineGamingRadio.
Also, although it was drowned out by two other major news stories (one being the SOE compromise), the other surprising news tip was that OnlineGamingRadio will be launching a new Podcast with Christine “Kiara” Renzetti and Alan “Brenlo” Crosby formerly EQ2 Community Manager and EQ2 Senior Producer, covering competing MMO “Rift” by Trion Studios.
Incidentally, EQ2Talk is an independent biweekly podcast by Dellmon and Aliscious. They’re not scheduled to do a program this week, but if this changes, we’ll be sure to announce that as well.
SOE’s Facebook Update as of 30 minutes ago is brief and to the point:
We’re working as hard as we can to get the servers up as soon as possible, but have no ETA at this time.
SOE Customers have started to report receiving e-mails from unscrupulous individuals attempting to lure frustrated players to websites which look and feel like official SOE customer portals to try to acquire additional login credentials and credit card information.
Please check the sender of these e-mails and further watch the addresses linked in any suspicious e-mail. When in doubt, go to http://www.SOE.com/ and disregard any links provided in outgoing e-mails.
There is currently no “action” that players can take other than to wait-and-see how SOE and Sony addresss the current crisis.
UPDATE: SOE’s website has been updated with the following message:
These emails will be sent by Innovyx, our third party email distributor, and will contain either ‘soe.innovyx.net’ or ‘soe.sony.com’ in the sender field.
First, some comments from SOE President John Smedley:
It’s been a rough day. We hope to be up soon, but we aren’t ready to announce just yet.
It can’t get any worse than today! I’m sorry the service is down. I really am.
Regarding if the forums will be down for tonight:
Unfortunately yes. I wish they were because we can’t really communicate with our players right now in a good way except on Facebook. It’s frustrating. But the account system is linked to the forums.
and when EQ2 ZAM contacted him:
We shot off a quick e-mail to John “Smed” Smedley, president of Sony Online Entertainment, asking if the servers would be back up tonight. He quickly replied with, “They won’t be up tonight unfortunately.”
If the PlayStation Network situation (13 days and still down) is any indication, it could be days before SOE games are back online.
Ok not really, but folks, PLEASE be at least polite when calling SOE Customer Service.
They didn’t setup the servers. They didn’t write the software or security protocols of the servers. They are not wearing shoulderpads or other protective armor. Their only line of defense is the press release you ALREADY read in your e-mail about this situation. So if you decide to ring up SOE to ask what’s going on, please realize they have a limited script to read from, and won’t be able to magically get the servers back up and running.
If you want to express your displeasure with SOE’s handling of this situation, or failure to secure their systems, there are plenty of venues, including the SOE Facebook site.
Today’s news that the SOE Customer Database has been stolen has continued to break around the Web from the BBC to Reuters to Nikkei news in Japan.
We have news from:
- Yahoo Finance
- PC IGN