Wednesday, October 12, 2011

Sony warns of PSN / SEN / SOE hacking attempt, but it's all good

After a huge uproar when its systems were hacked in late April, Sony has apparently learned from its mistakes. Yes, you've got it right: they've been hacked again.

Or at least, hackers attempted to compromise the Playstation Network again. According to Sony, hackers were detected attempting to login using a "massive set" of user accounts credentials that the company believes was acquired elsewhere. It makes sense: the vast majority of the attempted logins failed.

It also makes sense that some of them succeeded. That indicates those users were using the oft-maligned practice of using the same credentials in more, or likely, all of the sites they needed to log into. It's far more common than it should be.

In a note to PlayStation Network members, Sony's chief information security officer Philip Reitinger wrote of the attempts, saying several had been detected on the Sony Entertainment Network, the PlayStation Network and Sony Online Entertainment.

It must feel like a welcome breath of fresh air to Sony customers. The reason Sony was in such hot water in April is because the company waited quite some time before alerting its customers of the data breach of its systems, which included a leak of credit card information for some users.

Less than one tenth of one percent of the PSN, SEN and SOE audience might have been affected, amounting to approximately 93,000 accounts globally where the attempts succeeded (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000).

To mitigate the risk this is what Sony said it did (in a blog post):

"As a preventative measure, we are requiring secure password resets for those PSN/SEN accounts that had both a sign-in ID and password match through this attempt. If you are in the small group of PSN/SEN users who may have been affected, you will receive an email from us at the address associated with your account that will prompt you to reset your password.

"Similarly, the SOE accounts that were matched have been temporarily turned off. If you are among the small group of affected SOE customers, you will receive an email from us at the address associated with your account that will advise you on next steps in order to validate your account credentials and have your account turned back on."

Sony also took the time about using "strong" passwords and having a username / password combination differs from site / service to site.

Given their quick response on this, the comments below the blog post were 180 degrees opposed to the ones from April. Most applauded Sony's openness, quick response, as well as the quick way they alerted end uses to the situation.

And for once, it seems the issue was not so much Sony vulnerability, as user vulnerability: using the same credentials in more than one location. Of course, there's also the fact that the user credentials were obtained somewhere else, and that's still a mystery.

No comments: