back to article Sony network ransacked in huge brute-force attack

Sony has warned users against a massive bruteforce attack against PlayStation and Sony network accounts. The attack – which used password and user ID combinations from an unidentified third-party source – succeeded in compromising 60,000 PlayStation Network and 33,000 Sony Online Entertainment network accounts. These accounts …

COMMENTS

This topic is closed for new posts.
  1. Atonnis
    Meh

    The motive?

    It's to steal information, use accounts for spamming and phishing, and possibly there's a small smidgeon of 'we can f--k you up whenever we want, Sony' attitude mixed in.

    But thievery is the primary motive. It always is, no matter what flowery bullsh*t is used to declare some sort of 'l33t' status.

  2. rurwin
    WTF?

    Ransacked?

    That's rather harsh use of language isn't it?

    The hackers tried huge numbers of usernames and passwords, probably taken from a hack on another site. 93,000 of those matched usernames and passwords used on PSN and/or SOE. In the great majority of cases that is all that happened before Sony shut them out. In a few cases there was further activity and Sony knows which cases they were and will reimburse lost funds.

    Hardly "ransacked". In fact more like "Sony proves they've learned their lesson in huge brute-force attack".

    1. Alan Dougherty
      Pint

      And sheeple didn't learn to use different passwords on different sites, despite previous hacks, and warnings to change them..

      Yes, people are are told to not use a password book, but lets face it, with 20-30 different accounts, over multiple servers, the only real option is a physical book, or encrypted password file...

      I use a book.. I'll know it's compromised when I come home to find the house ransacked.. then I can change them..

  3. jai

    that's why i changed my PSN password to a long random string that isn't used anywhere else, because it was obvious this was going to happen again some time

  4. Anonymous Coward
    FAIL

    Nice try...

    But you fail to grasp what it's saying...

    In short, someone is trying to access accounts on PSN with lists stolen from elsewhere, in the hope that users have used the same email/password combo.

    So tell me, why is that Sonys problem????

    1. Anonymous Coward
      Anonymous Coward

      So tell me, why is that Sonys problem????

      Because they live in the real world.

      This real world is a magical place where dreams are made and crushed by the popularity of your products. If your product is popular you will succeed despite a handful of "people that aren't sheep" telling you why you, your product and your millions of customers are wrong.

      Having tens of thousands of your customers come under attack can be a marketing nightmare or a marketing bonus depending on how it is handled. In the nightmare situation you do nothing, say "not our problem" and that's the end of it, you've save a million in lost hours and goodwill gestures...but you've also lost 100million in future sales due to your piss poor handling of the situation. The best solution is to put in that small investment into your customer base, make them happy and you can reap the rewards when the next version of your product is released.

      Many companies fail to grow because they follow your mantra of "not our problem" it works great while you have new customers, but once you have gone through the market your business will fall flat on its face because no one else will want to buy from you.

      1. Anonymous Coward
        FAIL

        So by your logic...

        The bad guys are:

        Microsoft

        Nintendo

        Netflix

        + every other company with lots of users accounts, that say nothing when they get mass attacks based on some other sites passwords and logons....

        As clearly there has been no hack at Sony, there has been a hack elsewhere, and those details are being used in an attempt to get PSN details.

        So again, what have Sony done wrong here? If they say nothing, that's wrong, if they inform the press that there are hack attempts, that's wrong too....

      2. Tom 13

        For as much as I dislike Sony, I gotta agree with Barry on this one.

        If I'm dumb enough to use the same username and password on two websites, there's not a damn thing the second site can do to protect my account if the first one gets hacked.

        And it seems that Sony have learned from their previous mistake: the accounts were immediately locked, owners notified, mediation of damages were offered, and the incident was publicized.

    2. Anonymous Coward
      Anonymous Coward

      Sony says the lists are from elsewhere.

      What kind of fool believes anything Sony says. Their incompetence has been repeatedly proven.

      My personal boycott of Sony is now at 3 years minimum.

    3. DrXym

      It isn't Sony's problem

      They detected the attack and stopped it. Evidence that their security is improving. Who knows where the original list came from, but there are enough gaming forums and other sites where people often use their XBL / PSN id to talk and may well use the same password too.

  5. Adam 60
    Unhappy

    Not Sony's Fault

    So, the accounts were compromised because people re-used compromised login details, or had easy to guess passwords?

    The fault this time lies entirely with the end user.

    The sad thing is, given the choice between learning to increase their on-line security or blaming someone else (Sony), I know where the majority of 'victims' will fall.

  6. DragonKin37
    WTF?

    Here we go again

    This reads like the AnitSec are back for the Lulz. Or somebody is really bored, Sony knew this was going to happen and yet accounts got hacked...Sad indeed.

    1. sisk

      It's not really their fault this time

      It was a brute force attack. All brute force attackers need to overcome any single factor security (such as username and password) is time. There's really no way to defend against brute force except by adding biometrics or something to your signon.

      1. Naughtyhorse

        All brute force attackers need is time...

        not quite so. why not have 3 attempts at logging in and a five minute lockout in the event of a fail. wont stop brute force attacks, but make them take an impossibly long time to run even modest lists.

        seem to remember pr0n sites doing such back when i was a lad with john the ripper and a list :-)

      2. Anonymous Coward
        Anonymous Coward

        "no way to defend against brute force"

        Bullshiat!, it is possible to defend against brute force attacks. It's as simple as locking out the account after 3 or so attempts.

      3. Daniel B.
        Boffin

        Not a brute force attack

        More likely someone nicked either a hashed pwd list, or applying the infamous Gizmodo list on the PSN. It is bound to end up scoring with people who use the same password for everything. That's the reason why I now use random passwords on most sites and keep said passwords on a Password Safe.

  7. Anonymous Coward
    Anonymous Coward

    Non news?

    "We want to let you know that we have detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment (“Networks”) services to test a massive set of sign-in IDs and passwords against our network database. These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources."

    Someone stole some user details from elsewhere and are trying to use them to break into PSN. END OF STORY....

    1. Ken Hagan Gold badge

      Re: End of story

      Not quite. If your account was attacked, it probably means that an account you have with some unrelated organisation has been compromised.

      If those who had been attacked compared notes regarding who they have accounts with, it would probably be obvious where the breach had occured. Pooling information in this way might itself constitute poor security, though.

  8. Elmer Phud

    Sort of expected

    Sony pwnd once again.

    It was only a matter of time.

  9. Dave Murray

    I bet this isn't really a brute force but someone trying the list of usernames & passwords from the earlier attack again and these 93,000 idiots, sorry... users, had changed their passwords back.

    1. Anonymous Coward
      FAIL

      You bet wrong.

      Every PSN user was forced to change their password. So no accounts would have therefore been hacked.

      I know it's really fashionable to blame Sony, but they are not even in the slightest to blame here.

      I'm guessing those same 60k accounts were also tried to use to log onto Xbox Live, but Microsoft aren't warning people.....

      The EPIC FAIL here are the posters that somehow think Sony are responsible for users duplicating passwords and logins across domains...

      1. Naughtyhorse

        I think the original post implied lusers had changed their PW's _BACK_ to the old version after sony insisted everyone change.

        At least that's what i read it to be.

        which makes Sony's offers or compo particulary generous.

        if i told you you couldnt use 'dave' as your pw and you changed it to 'chas' for a week and then went back to 'dave' when you got burned i'd take the view it was all down to you.

        then again i didnt bolluxup 93 million accounts a few months ago.....

        1. Tom 13

          If Sony let them get away with that

          they'd still be due some blame. Most password systems let you force that a password cannot be re-used for x number of times. But I concur MOST of the blame still belongs with the wetware at the far end (from Sony) of internet connection.

  10. NoneSuch Silver badge
    Coat

    I am not going to say it.

    I am not going to say it.

    I am not going to say it.

    Oh, what the heck... "I told you so..."

  11. Anonymous Coward
    Anonymous Coward

    They made unauthroised payment using the accounts yet the motive remains unclear? WTF???

  12. Just a geek
    Holmes

    Could the source be Sony?

    "The attack – which used password and user ID combinations from an unidentified third-party source" What like the hack attack which stole user IDs and passwords back over Easter?

    1. varsas

      Given that every PSN user was forced to change their password that would not make sense.

  13. Thomas 4

    Phew

    Thank god they installed that chief information security officer after that last attack, otherwise they'd have no-one to fire over this one.

  14. TeeCee Gold badge
    WTF?

    Bruteforce?

    "...used password and user ID combinations from an unidentified third-party source..."

    That doesn't sound like a bruteforce attack to me. That's a "wander right in using the same user/pwd combo that muppet-brain used on other site xyz" attack.

    Maybe we need a snappy, single word name for that so Sony can use it in press releases come the next "Sony caught with knickers round ankles again" story?

  15. Anonymous Coward
    Anonymous Coward

    When will it ever stop?

    This just isn't funny any more.

    1. Anonymous Coward
      Anonymous Coward

      oh yes it is

      see title

  16. Naughtyhorse
    Facepalm

    Deja Vu???

    li'l bit

  17. Anonymous Coward
    Anonymous Coward

    what I'd be interested in

    Is which hosting provider's network was this data-slurp executed from?

  18. Captain TickTock
    Trollface

    Motive remains unclear...

    ... just have to find someone with a grudge against Sony. That should narrow it down..

  19. AndrueC Silver badge
    Joke

    Don't panic!

    We've all signed away our right to take part in a class action against Sony so the harm has been minimised :D

    1. Anonymous Coward
      Anonymous Coward

      Joke or not I have not signed away any rights with Sony. I refuse to accept the new terms PERIOD.

      Sheep will sign anything I suppose, without even reading it first.

    2. Anonymous Coward
      Anonymous Coward

      Except of course in the UK you cannot sign away your rights.

  20. Trifle Slob

    What is the point of such a network?

    Sony seems to have more problems these days with their '2 bit' freebie gaming network than is worthwhile and they don't seem to know whether they're coming or going securitywise.

    I'll stick with the XBL until somebody manages to spread it's security legs wider than the dirty Whore that is PSN.

    1. Anonymous Coward
      FAIL

      Errm Idiot alert..

      Someone want to tell him that those same 60k account login details would have been tried against XBox Live too (and no doubt hundreds of other sites online).

      The difference is, Microsoft haven't informed him....

      1. Trifle Slob
        Facepalm

        Fanboys are usually quick to jump.

        Can you actually provide evidence that they did?

        You have no basis to prove such an accusation, but seem certain regarding the fact.

        Do you have some insight that the rest of the world doesn't.

        By your reckoning and logic here almost anything and everything could have been hit by the said attack, but the truth is it's unlikely.

        How many warnings have you received from other parties regarding this attack?

        I'm guessing no-one.

        All I ask for is a trouble free and secure gaming network and I've had that for more than 5 years, none of my info seems to have been spilt all over the net, if so, M$ have made a mighty fine job of cleaning it or keeping it from the public eye, which is exactly as I want info treated.

      2. Trifle Slob
        Facepalm

        Can you actually provide evidence that they did?

        You have no basis to prove such an accusation, but seem certain regarding the fact.

        Do you have some insight that the rest of the world doesn't.

        By your reckoning and logic here almost anything and everything could have been hit by the said attack, but the truth is it's unlikely.

        How many warnings have you received from other parties regarding this attack?

        I'm guessing no-one.

  21. SpaMster
    Trollface

    Unleash the x-box fanboys!

    My guess is the 93,000 compromised accounts are the ones of people who vowed never to log onto playstation network again after the last attack, and therefore left there passwords unchanged.

  22. Anonymous Coward
    Anonymous Coward

    Change your password!

    I wonder how many of the accounts compromised in the first attack on the PSN 'changed' their passwords by adding 1 to the number at the end? Worth a brute-force check...

  23. Alistair MacRae

    People are just people.

    You cant complain when people don't take proper care of their own security saying they should know better.

    Looking at the number of accounts that get highjacked it's clear they don't know.

    I don't know who's responsabilty it should be to get these people to take better care though.

    If Sony put something up for people to read before joining people would just ignore it anyway. So how do you fix these people?

    I really don't like Sony though so I find it hard to sypothize with them. It's just their customers I feel sorry for.

  24. DaeDaLuS_015
    Flame

    ergh

    For the love of [insert deity here]. Given the profile of Sony's last hack is it not reasonable to assume they have become a target of what, the majority of you seem to keep forgetting, is a criminal activity? Yeah sure it's all Sony's fault for somehow not being able to secure it's network, point in case is they shouldn't have too. I see not one post on here condemning hackers targetting PSN, a service used by millions, yet i see a damned lot of slating of Sony's security.

    I'll tell you what i'll get a victim of violent crime and bring them out here and we can all tell them how pathetic they were for not taking self defense lessons of some kind. Yes, that is exactly how rediculous the majority of people are being regarding Sony's repeated attack.

    For every attack you hear about that works, i bet they fend of tens if not hundreds of other attacks which don't work, especially given the profile of their "rubbish" security. You all need some perspective.

    Also the data was from a third party site [supposedly], if that's not a sony controlled one then it's not even remotely their issue and clearly they have reacted appropriately.

    </rant>

    1. Tom 13

      Your first paragraph is rubbish.

      and your second debatable. I know Europeans don't get American gun culture, but the fact is, it actually works except where idiots here think Europeans have a better idea and we should emulate it.

      Your third statement while probably true has no proof and is therefore moot.

      But I'll let you off because your final paragraph correctly sums up the article. Next time skip the dreck at the front and you'll get a thumbs up.

      1. Anonymous Coward
        Anonymous Coward

        @tom 13

        " know Europeans don't get American gun culture, but the fact is, it actually works"...

        Yes, yet another successful gun related massacre in the USA recently.

    2. Kazriko Redclaw
      Alert

      DaeDaLuS_015:

      This was, in fact, an unsuccessful attack. It's because of Sony's heightened security that it didn't get through to cause any damage, and this was clearly not Sony's fault in this case. It's those users who utilized the same username/password combination elsewhere as they did on the PSN.

      The accounts were locked out to prevent the user's own mistake from causing too much damage.

  25. FuzzyTheBear
    Coat

    Why Sony , again ?

    Simple .. it's the most hatefull and hated company ever.

    They treat their resellers like crap , their customers like shit and the whole enchilada is past due for the garbage bin. They are still in business because people dont care as long as they got the immediate benifits of a toy. I say it's time to change customer attitude and make them think before they buy that the corporation dont give a shit about them and that they count for nothing. All they want is the money for nothing in return and that's just the top of Sony's iceberg.

    I know .. we're a Sony Professional retailer and service center.

    A post covering detailed Sony's behavior would be several hundred pages long.

    Most unfortunate. But fortunately it's time for a pint.

    1. Jonathan Carlaw

      If you dislike Sony that much, perhaps you should reconsider working for or running a Sony Professional retailer / Service Centre?

      Or is it that you don't care as long as you keep getting your share of the cash?

    2. SpaMster
      FAIL

      Think you'll find there is a lot more people out there who hate microsoft to be honest. Just think for a second how many windows pc's get hacked every day, and nobody bats an eyelid.

      1. eulampios

        right

        All of them : Microshit, Apple, Sony and Oracle deserve to die.

    3. Ken Hagan Gold badge

      Re: "Simple .. it's the most hateful and hated company ever."

      That would, of course, be a matter of opinion. For what it's worth, I say Sony were better than this lot: http://en.wikipedia.org/wiki/Bhopal_disaster

    4. rurwin
      Facepalm

      I edited your post a little...

      > we're a Sony Professional retailer and service center.

      > They treat their resellers like crap

      > [we] dont care as long as [we get] the immediate benifits of [...?]

      > I say it's time to change customer attitude and ... think before [we] buy that the corporation dont give a shit about [us] and that [we] count for nothing.

      And to quote someone else:

      * Physician heal thyself.

      * Before you remove the mote from your neighbour's eye, first remove the log from your own.

      Or maybe there is a good reason for you to be in the business. Maybe there is also a good reason your customers are still your customers.

    5. Ceiling Cat
      Facepalm

      [FuzzyTheBear] I say it's time to change customer attitude and make them think before they buy that the corporation dont give a shit about them and that they count for nothing.

      -----

      Really? And how much of a shit should they give about me? I bought an MP3 Player, not stock in the company. Furthermore, I bought the cheapest one, because even their more expensive players don't support FLAC (my preferred format).

  26. Anonymous Coward
    Anonymous Coward

    "All brute force attackers need to overcome any single factor security (such as username and password) is time. "

    Only someone that's never understood security on a real computer OS (e.g. VMS) would be naive enough to say that.

    There are various methods of slowing down a brute force attack so dramatically that it becomes so slow as to be pointless.

    The fact that most outfits choose to ignore these methods (even when the method isn't specific to a given OS) reflects the fact that the Internet is largely run by "presentation layer people" (with a smattering of connectivity and routing experts).

  27. Anonymous Coward
    Anonymous Coward

    somehow

    somehow I think there exists at least one person at Sony is thinking that Sony should have left geohot alone

  28. Anonymous Coward
    Anonymous Coward

    Hmmm, interesting....

    Word on the street is that the details are actually Xbox Live 100k stolen login/passwords that Microsoft has been keeping quiet about.

    Many of the users of this attempted PSN bruteforce hack ONLY used their email/password combo on Xbox Live.

    Tut Tut Microsoft….

This topic is closed for new posts.

Other stories you might like