Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Sony IT

Sony Targeted Yet Again; Thwarts Attackers This Time 68

Posted by Unknown Lamer
from the script-kiddies-gone-wild dept.
alphadogg writes with an excerpt from a Network World article: "Sony suspended 93,000 user accounts on several of its gaming and entertainment networks after unauthorized login attempts on those accounts. The attempts occurred on the PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment, and the company says that login information likely acquired from other sources was tested en masse on the networks. Only a 'small number' of the attempts were successful, and no credit card information was leaked. ... Sony Chief Information Security Officer Philip Reitinger said that 'less than one tenth of one percent' of the networks' users may have been affected."
This discussion has been archived. No new comments can be posted.

Sony Targeted Yet Again; Thwarts Attackers This Time

Comments Filter:
  • "Sony suspended 93,000 user accounts

    'less than one tenth of one percent' of the networks' users

    Sony has over 93 million accounts?
    As far as I know only about 50 million PS3s have been sold, some to upgraders / replacers / theft or fire insurance claims, so there's probably less than 50 million PS3 user accounts.
    The other 50 million or so accounts are ... ?

    • by Anonymous Coward
      Can't more than one person have an account on a single PS3?
    • by Mordermi (2432580)

      Just to note: Some people may have multiple accounts. I know people with 2+ PSN accounts.

      But it is also for two other divisions of their network, not just PSN.

    • by Sockatume (732728)

      During the hacking fiasco, the press was reporting that there were 100m PlayStation Network accounts, which covers both the PS3 and the PSP. That gives us a total of around 75m units. While many of the remaining 25m will be dummy accounts used to download items from the regional PSN stores (which was quite popular in the early days), I'm sure that the majority are simply friends, family members etc.

    • by scdeimos (632778)
      SOE does online PC games too, you know.
    • by msauve (701917)
      "Sony has over 93 million accounts?"

      Right on this page - Related Links - "77 Million Accounts Stolen From Playstation Network [slashdot.org]." And, as the summary says, this is about more than that - "PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment."

      So, yes, 93 million accounts is reasonable, based solely on information found on the same page you posted to.
      • Ok, 77 million accounts were stolen, and now 93 million accounts are left. Therefore before the theft, there have been 170 million accounts. Right? :-)

    • by diersing (679767)

      From the Sony Online Entertainment and Sony Entertainment Network?

      His blog post breaks them down as - (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000)

    • by pnewhook (788591)
      Wow 50 million PS3s? Increase that by another 50% and it's getting close to the number of Blackberry subscribers...
      • by Hyppy (74366)

        Wow 50 million PS3s? Increase that by another 50% and it's getting close to the number of Blackberry subscribers...

        Which is, what, about 1.5% of cell phones?

        • by pnewhook (788591)
          Of all worldwide cellphones yes, but for smartphones they are #2 in the world, right behind Nokia (android), and ahead of Apple. Although why anyone wants to buy an Android and give their money to Microsoft is beyond me.
    • by Verunks (1000826)

      Sony has over 93 million accounts? As far as I know only about 50 million PS3s have been sold, some to upgraders / replacers / theft or fire insurance claims, so there's probably less than 50 million PS3 user accounts. The other 50 million or so accounts are ... ?

      I have 5 accounts myself, iirc 2 europeans, 1 american, 1 japanese, 1 hong kong, I bet others have more than one account too

    • by xmousex (661995)

      I have 8 accounts, and 0 PS3s.

    • by Jeng (926980)

      Current and past SOE customers for games such as Everquest and Star Wars Galaxies.

    • As far as I know only about 50 million PS3s have been sold, some to upgraders / replacers / theft or fire insurance claims, so there's probably less than 50 million PS3 user accounts.

      As far as I know, PSN accounts are not tied to consoles, so why would upgraders / replacers / fire insurance claims have anything to do with this?

    • by Sir_Sri (199544)

      SOE (EQ, SWG, whatever that star wars adventure kids game is), the PSP, qirosity or however their marketing dipshit spelled it which is a mobile music service. Also, once you create an account it exists forever basically (I'm sure they *can* be deleted, but usually aren't).

      The playstation network, and sony's network services in general are a whole lot bigger than just the PS3. There's a lot of overlap between PSP and PS3 owners probably, but the other services not necessarily. How many people played the

    • One for each parent, one for each kid. That way the trophies and such stay separate.

  • Ouch. That's not a particularly nice title to have these times...
  • 'less than one tenth of one percent'

    Which means ... how many accounts?
    Are you contacting the compromised account owners for assistance?

    • Which means ... how many accounts?

      Given that they suspended 93000 accounts (see the first line of the summary), Id expect that to be the number of compromised accounts.

  • "login information likely acquired from other sources was tested en masse on the networks."
    Acquired from other sources? Maybe from wine hq? [slashdot.org]

  • Well, at least Sony made a decent catch. Perhaps for the first time in ten years.
    • by wiedzmin (1269816)
      Maybe. Except this wasn't really a hacking attempt... not even a brute-force password cracking attempt... more like an automated login script more or less. Wake me up when they catch an actual intrusion, through SQL injection or some perimeter vulnerability they may have. This here is a positive publicity stunt.
  • IIRC, Sony denied anything had been compromised *last time* too. It was only days later that they admitted the scale of the attack and how successful it had been.

  • ...news at 4:11

    "Now back to you, Bob"

  • ...It could be another PR stunt to make it look like they have the best security and tracking team on the planet.

    I'd like to hear from one of the 93,000 people whose accounts were suspended. I'd like to know that these are actual accounts with real people.

    • by Anonymous Coward

      I noticed that I couldn't log in to EQ2 last night, but there was a post in the forums [sony.com] about SOE taking things offline for maintenance at 8PM PST (normally they do it at 7am PST). Then, I got this email in the morning:

      We are writing to let you know that we have detected an unauthorized attempt to verify the validity of your Sony Online Entertainment ("SOE") Station Account name and password. We believe there was an attempt to use a scripted application of a large set of sign-in IDs and passwords against ou

    • by Sockatume (732728)

      You don't have to have "the best security and tracking team on the planet" to notice that someone's trying tens of thousands of usernames and passwords and failing. And it doesn't exactly scream competence when it turns out that user details your company failed to protect are now being actively used by fraudsters. It just compounds the original failure.

      • You don't have to have "the best security and tracking team on the planet" to notice that someone's trying tens of thousands of usernames and passwords and failing.

        I didn't say that they ARE the best team. I said "PR stunt" which is targeted at the unknowing, not the most knowledgeable receiver.

        And it doesn't exactly scream competence when it turns out that user details your company failed to protect are now being actively used by fraudsters. It just compounds the original failure.

        I also mentioned the possibility that these users don't exist. "PR STUNT" - italicized and capped. I don't know how to make what I said more clear.

        If you're one of the users of a company that releases that kind of information, and you aren't one of the "affected" people, it increases your feeling of safety and security. Simple logic, simple stunt. While they're at it, they

  • by sgt scrub (869860) <saintium.yahoo@com> on Wednesday October 12, 2011 @09:04AM (#37689674)

    Sounds like the attack was successful to me.

    • Does SOE enforce password complexity requirements? If not, I'm guessing all these vulnerable accounts were using easy-to-guess passwords.

      • by sgt scrub (869860)

        I don't know. I assume not. Enforcing complex passwords, IMHO, would be better than shutting down thousands of user accounts. Are people connecting to their Sony account and receiving the following message, "We are sorry. Your password sucked. Your account has been disabled. Please go fuck yourself. --Sony"?

        • by Rob Kaper (5960)

          Assuming the compromised database had proper hashing with per-user salts, you are right. In any other case, the vulnerability here was the third-party storage and not the password strength. (On top of password re-use, of course).

    • by Solandri (704621)
      If this is what I think it is, then the accounts DOSed themselves. Most people use the same username and password on different accounts. The spate of "hacked" gaming accounts I've read about recently were mostly due to people signing up for a gaming site or gold buying site. That site gets hacked or sells its username/password list to thieves, who then try the same usernames/passwords to login to various games.

      If Sony detects this sort of login behavior (multiple failed login attempts to many differen
      • by sgt scrub (869860)

        If Sony detects this sort of login behavior (multiple failed login attempts to many different accounts coming from the same IP), the correct response is to lock the account

        This is essentially a vector for denial of service. Set up a brute force attack from a throw away ip address with one user:pass. Attack 2 then 3 then 4 then 5... accounts until you hit the sweet spot. Then whenever you wish to DoS Sony user accounts you hit Sony with a brute force attack above the known number of accounts. Or equally

  • by sangreal66 (740295) on Wednesday October 12, 2011 @10:16AM (#37690736)

    The summary states that there 93,000 login attempts and that a small number of the attempts were successful. This is false. There was an undisclosed number of attempts, and 93,000 accounts were successfully compromised. From Sony's own statement:

    There were approximately 93,000 accounts globally (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts’ valid sign-in IDs and passwords, and we have temporarily locked these accounts.

  • 93,000 compromised accounts. If they can tell that an account was compromised vs. a legitimate use, that means there was something unique to these logins. For the sake of argument, let's just say it was a browser-agent. Let's also make some baseline assumptions:
    - Let's say that the 93,000 accounts only make up 10% of the total scope of the attack. 930,000 accounts hit, or 1% of the account-base (according to Sony).
    - Let's say that only 1 attempt was ever made per account (the most difficult scenario to de

: is not an identifier

Working...