back to article New PlayStation Network hack hijacks user accounts

Four days after the PlayStation Network reopened, Sony has taken down login and password recovery pages for the service following reports they contained a serious flaw that was actively exploited to hijack user accounts. The vulnerability, which was first reported by UK-based gaming news site Nyleveia.com, required only that an …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Useless tossers

    You'd really think Sony would have pulled out all the stops and finally got PSN to at least start looking secure.

    Completely and utterly pathetic...

    1. Andy Fletcher
      Thumb Down

      You what?

      So, knowing the sign in ID, DOB and e-mail address enabled the ability to reset the password. And this makes SONY a bunch of tossers?

      Seriously, given that data for almost ANY online service you could change the password. 3D secure for instance, that great level of protection provided to us by the card companies doesn't even need that much info to crack - DOB is all you need. Let's remember PSN is a gaming network at it's heart, not a damn bank.

      Bring on the fanboy flames. Sony aren't any worse than everyone else who's got user data when all's said & done.

      1. Danny 14

        oops

        Be under no illusion that 3D secure is there the help the consumer. It is simply a tool to make it easier for banks to pass the blame to you if your account gets hijacked.

        It was *never* designed to make transactions secure; most of the details (sans DOB) needs to be put into the transactions.

        1. Andy Fletcher

          Yes, I know it's a liability shift

          But that's not what the banks tell us it is. You are free to assume I'm an idiot, but I would personally prefer you to judge based on what I have said, rather than things I haven't.

          I honestly didn't think it would be needed for me to list every service on the web that you can crack if you know the sign in, DOB and e-mail address for an account. I just plucked an example out of my head for which you need just one of the three.

      2. Anonymous Coward
        Anonymous Coward

        I couldn't even change the password on a Pr0n account

        given that information. Same with my email accounts and credit cards.

      3. Doug Glass
        Go

        So? What's your point?

        Then put your money where your mouth is and post all your personal data everywhere you can and make us all look like fools.

        Or not and make you look ... well, you get the point. I guess.

  2. Tim Parker

    Doubts

    "The PSN was restored to most of the world but has remained unavailable in Japan because of doubts that country's government had about its security."

    mod government up on that one...

    1. RAMChYLD

      Japan?

      You mean the fucking whole of Asia. I have not been able to log in to my PSN account for over a month now. Apparently they want to have Japan's servers back up first before turning on the Hong Kong/Taiwan server, which will then restore services to the rest of Asia.

      Aside from getting that 3.61 firmware update, I've not used my PS3 for anything useful since it went down.

      1. Mark Aggleton
        WTF?

        You could...

        .... always use it as a games console with one of those disk things!

      2. The BigYin

        @RAMChYLD

        So a PS3 can't be used without a 'net connection? Glad I didn't go through with buying one a month or two ago! I was planning to use it as a Blu-Ray player, maybe to stream content off my home network and to maybe play games.

        But it if needs an Internet connection to do that - forget it.

        1. Test Man
          FAIL

          Do some research

          Connecting to the internet works perfectly fine on the PS3. The problem for the last month is the PSN network (a service that runs on the internet). This solely affects services tied to PSN i.e. online gaming, music services like Quirocity, Vidzone.

          Obviously you can still play Blurays and access online stuff from them (as it doesn't need PSN) and you can stream stuff on your online network (as that clearly has nothing to do with PSN). Games you can STILL play - just not any online features (as that will be tied to PSN).

          So stop moaning.

        2. Rob Beard
          Headmaster

          @ The BigYin

          Yes, a PS3 will work without an internet connection. It can get firmware updates via the game media, and it'll still stream stuff from the likes of PS3 Media Server without any issues (I've got my PS3 attached to my network but configured in such a way that it doesn't get onto the Internet and it works fine, it also works fine with the wireless turned off and the Ethernet cable not connected).

          Rob

      3. Elmer Phud
        IT Angle

        Money

        Sony don't give a toss about you, if they did then the networks would be back up again.

        They only want your money.

        Would you prefer connectivity or security?

        1. Shakje
          FAIL

          BREAKING NEWS:

          Large corporation only wants customers' money.

          1. Giles Jones Gold badge

            PSN is free

            Sony's gaming network is free. XBox live isn't.

            It's just a hobby project for Sony but a money making service for Microsoft.

  3. irish donkey
    FAIL

    Can we have a new Darwin Award

    For Mega corps that are headed straight down the toilet?

  4. Anonymous Coward
    Anonymous Coward

    Seppuku

    Let's hope that this ritual is no longer practised or the cleaners will have an awful lot of trouble sorting out the IT department.

  5. Paul Leighton
    FAIL

    Poor security methods

    For the SOE network I didnt have to do any workarounds or special methods, I launched a game and was asked to change password on the SOE site, the site presented me with boxes to put my existing username+password in (the info that has been supposedly retrieved). I then put in a new password. That was it!?!

    at the very least I would have had it initiate sending a link to my email to present a reset password page to at the very least help verify who I was with a method that requires more than whats already been leaked to change my account info.

    Appauling Sony!!!

    1. Andy Fletcher

      Nice idea...

      ...but not everyone on the PSN is as organised as you. A significant number of users are:

      1) 10 year olds

      2) Lied about their age so they could play COD and forgot what birthday they used and

      3) Just set up a now long forgotten Hotmail account to get access

      Sony know this. As a result they also know what kind of PR disaster they'd have on their hands if 10 million 10 year olds all lost their rankings, trophies & other "achievements". If you'd tried it on a different console you would have been forced to go through an e-mail confirmation scenario.

      1. Paul Leighton
        FAIL

        I wasn't talking about PSN, I said SOE

        1) agreed

        2) agreed

        3) agreed

        Although I wasnt talking about PSN, I said SOE! the other part that got h4x0r3d!

        Yes I find it odd have said my suggestion of it being unsecure to just need a username and password to change the details and needs some additional way to secure it and avoid only needing the details that have been retrieved, clearly some people are stupid!

        SOE setup only needed a username and password, let me do what I want with it, it seems yes I did get an email to say someone changed those details but I actually missed that, assuming it was spam/ads no doubt.. an after the event warning is not a good process, what if someone has changed their emails since??

        I repeat.. pathetic SONY!

  6. NoneSuch Silver badge
    FAIL

    FAIL FAIL FAIL FAIL....

    (To the tune of SPAM SPAM SPAM SPAM....)

    You cannot secure a system that was designed to be insecure from Day One.

    This is what happens when Marketing gets more of a budget than R+D.

  7. Anonymous Coward
    Happy

    I can't wait...

    For the ICO to issue them a £500 fine in 6 months time for all this.

  8. Anonymous Coward
    FAIL

    Errm

    Doesn't this ASSUME, that hackers actually got usernames and DOB?

    As uptil now, nothing says they did....

    1. Anonymous Coward
      Anonymous Coward

      What is this I don't even

      You mean aside from the breached databases being stored as plain text that pretty much every news service that has covered this has mentioned?

    2. Paul Shirley

      so weak you don't need the stolen list

      Email address+DOB pairs are one of the easiest things to guess or find, it's hard to think of a weaker validation scheme. That makes this a severe fault *even without stolen credentials*.

  9. Naughtyhorse

    oh dear oh dear

    oh dear.

    the words piss up and brewery spring to mind

    1. Arctic fox
      Happy

      @Naughtyhorse re "oh dear oh dear"

      "..........required only that an attacker know the date of birth and email address associated with a targeted user's account..............."

      Actually the words that came to my mind were "shagging contest" and "brothel". All I can say other than that is *unfuckingbelievable*.

  10. jake Silver badge

    It's like watching a train wreck in slow motion.

    I'm beginning to wonder if Sony has anybody on the staff with even half a clue about RealWorld[tm] security.

    I'm also beginning to wonder about the sanity of the fanbois flocking to get back into Sony's insecure network ... what are they thinking? And then I realize they are probably also running software written in Redmond or Cupertino, and I realize that they aren't.

    1. Ed 11
      Thumb Down

      Linux fanbois no better

      Jake, it might be the smugness of Linux bois such as yourself that keep significant numbers of people as far from Linux et al as possible.

      1. Anonymous Coward
        FAIL

        Re: Linux fanbois no better

        "Jake, it might be the smugness of Linux bois such as yourself that keep significant numbers of people as far from Linux et al as possible."

        Yes, that must be it <rolls eyes>.

      2. jake Silver badge

        @Ed 11

        I mentioned Linux how many times, exactly?

        Yes, I use Linux, where appropriate. But not on the border routers.

      3. Crazy Operations Guy

        Exactly

        This is why my company avoids open-source crap, they are afraid of being associated with all the crazies. That and the management is really starting to hate this whole "Open Source vs. Proprietary" war, event though the two aren't mutually exclusive, but the fanbois on both sides make it seem like they are.

    2. Anonymous Coward
      Anonymous Coward

      Oh dear..

      I run Windows, OSX and Linux - and I'm not a fan of either but I find myself using OSX the most. However, somehow I don't have this compelling need to immediately bitch about anyone else's approach to computing.

      You see, I don't need technology to have a degree of self worth. I only insult people because it amuses me :-)

    3. Doug Glass
      Go

      Sanity?

      Fanbois? Surely you jest with that obvious oxymoron.

  11. Al 14

    Wow...

    ... That is just such a schoolboy error. I know let's do a password reset...

    Ok, we need a unique code that is sent to the account holders email address and that is all, we must store the code securely on our servers, the code should be a one shot affair and time out.

    So send the code to the client browser too? No no no, just to the account holders email address otherwise it defeats the fricken point!

  12. Anonymous Coward
    FAIL

    3rd party consultants?

    so this is the best security not only sony, but also those supposedly industry leading 3rd party security consultants could come up with?

  13. we are all ignorant

    Where are...

    ...the die hard sony users who will actually stick with this drowning behemoth? I remember seeing a few of them comment on the earlier two major security breaches, lol.

    1. Elmer Phud
      FAIL

      Junkies?

      as per title

  14. Jeff 11
    FAIL

    Famous last words

    I heard some security consultant on Radio 4 mention that PSN was now 'totally secure' on Tuesday morning. Ha ha ha.

    1. Anonymous Coward
      Anonymous Coward

      Consultant

      someone who tells your manager want you told them and gets paid a lot - if it works they are geniuses if it doesn't it was your fault for not doing it right

      I am sure there is a joke in there somewhere

      1. Joe Drunk

        re: Consultant

        From the wisdom of Scott Adams, author of Dilbert.

        Consultant is derived from two common english terms:

        Con - (ruse, to persuade by deception). You need my services because I am an independant third party with some sort of industry certification that is deemed more essential than practical experience by marketing drones and I am cheaper since I require no medical, vacation, severance or other expenses. Since the IT team is a hodge podge of revolving door rent-a-techs documentation is available...somewhere...in bits and pieces....but probably not.

        Insult - what is charged for services.

        Consultants are there to con and insult you. However the Powerpoint presentation always bedazzles, contract gets signed!

        Hopefully we get to know the name of what vendor they outsourced the maintenance of PSN to. Doesn't say they outsourced but c'mon, do we really need to connect the dots? 3 weeks and still hackable by simple means?

        PS I am a consultant. Over 3 years here, used to have a really good team of engineers, all left for greener pastures and I now manage a group of revolving door rent-a-techs!! woohoo!!

      2. Mark Serlin

        re consultant

        refer you straight to Scott Adams :) http://dilbert.com/strips/

  15. Someone Else Silver badge

    Looks like that personnel requisition...

    ...for their new corporate security guru is still unfilled.

    Or should be.

    1. Fred Flintstone Gold badge
      Stop

      Of course - wouldn't want to touch it..

      If they are so deeply deficient you have an absolute mountain of a job to get it anywhere near secure, because it has all the decaying reek of a security retrofit (the "oops, we better add some" at the END of a development cycle).

      I personally wouldn't want to get near a position which places you at the receiving end of pressure to go live as soon as possible by the clowns who commissioned the original cockup and who are now massively losing face, and the demands of a proper redesign where security is actually an integral part. Whatever happens, you get blamed. Having said that, if they pay a LOT I may reconsider, but here past record seems to suggest they will go for the cheapest bidder (again).

      So no thanks. I'll step back a bit, get some popcorn and watch the fire instead.

  16. henrydddd

    GH

    Maybe next time they will be less tempted to go after an individual who puts linux on their ps. Considering their level of competence, I doubt it.

  17. Christoph
    Joke

    Only one thing to say

    They thought they'd fixed it, and now there's *another* major flaw?

    Sony yet so far.

  18. SilverWave
    Happy

    Karma

    LOL

  19. sisk

    PSN Back up?

    Huh....shows how much I use it. I hadn't even noticed.

  20. jordanpalmer
    Thumb Up

    PSN fix

    A little jab at playstation for what PS3 users are going through with the hack: http://www.youtube.com/watch?v=0yhQcDgMon8

  21. dssf

    Why do i get the feeling something like this is happening to fb?

    At least in Firefox, even if i reset cookies, the fb page would just reset and say something about username or password error. Logging in under mobile, or/then switching to touch would allow me to then use my desktop page. Weird. Maybe my browser is jacked?

  22. TeeCee Gold badge
    FAIL

    Wow.

    This mess must now rank about 6.5 "Friday"s on the crapness scale.

  23. The Fuzzy Wotnot
    Happy

    FFS! Muppets!

    Stop that sniggering at the back you lot!

    Right now, come on Sony, stop messing about! You've a little practice a few weeks back, little mess about, let's get it right now!

  24. Anonymous Coward
    FAIL

    Wow

    Glad I removed my payment details while changing my password.

    @The BigYin - no, you don't need a connection to play games or stream stuff. Not that I'm recommending one :)

    1. Anonymous Coward
      Unhappy

      "you don't need a connection to play games or stream stuff"

      Unless of course you want to use "Love Film"!

  25. LPF
    Thumb Up

    Somewhere in redmond..

    The Xbox360 team is laughing their heads off!

    Say what you want about microsoft, eveny they would be hard pushed to create this kind of cockup. When people are paying for your service and it is a major revenue generator , you actually put effort into building the system and making sure it is secure!

    1. CD001

      Erm...

      ----

      When people are paying for your service and it is a major revenue generator , you actually put effort into building the system and making sure it is secure!

      ----

      Like Windows you mean?

  26. Seanmon
    Thumb Up

    Can't wait for payday.

    Gonna get me a dirt cheap PS3.

  27. Arnie
    Paris Hilton

    Joy!

    As someone said, it's like watching a trainwreck in slo-mo.

    How anyone would even consider going back on the PSN beggar's belief. Hell, I wouldnt even plug a sony telly into my network, not that i;d ever own a Sony product other than the 20yr old PLII pre-amp that sits under my monitor.

    Paris cause she is obviously in charge of security at the struggling multi-national

  28. Anonymous Coward
    Paris Hilton

    PSN time machine...

    I got an email from Sony informing me that I had successfully changed my password, more than 12 hours BEFORE I actually managed to finally log on again after the PSN down-time and eventually change my password (not so curiously, the Sony PSN servers were very busy last Sunday!) from my PS3.

    Whoever it was that logged into my account, it wasn't me... and curiously, they didn't bother to actually change my password, despite the Sony email.

    (Paris because I can't think of anyone I'd more like to send into the future (or past))

  29. Anonymous Coward
    Unhappy

    had details, did use

    My online Fifa account was hacked after they obtained my DOB and secret email address from the PSN hack.

  30. joe.user
    FAIL

    Sony Security - YOU SUCK

    And you're in charge of a cluster of code cracking GPU's!? Dangerous...

  31. Anonymous Coward
    Anonymous Coward

    If I lived in Japan

    I'd be avoiding cherry orchards in spring for the next couple of years I think..

  32. Slackness
    Happy

    So Glad

    So glad my stepson had gaming removed for a minimum of a year (*on medical advice) for his gaming addiction, it was kind of poetic that it happened at the point of the issue arising.

    So,we are very happy to ride this out... Thanks Sony! Top Marks!

  33. Jayw

    Oh, finally

    I emailed Sony support about this issue over a year ago. Nice to see they've finally bothered to do something about it now that the eyes of the world are on them.

This topic is closed for new posts.

Other stories you might like