113w ago - Today Sony's SVP and PSN Chief Information Security Officer Philip Reitinger has issued an official warning that PlayStation Network security appears to once again be breached.
To quote: We want to let you know that we have detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment ("Networks") services to test a massive set of sign-in IDs and passwords against our network database.
These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources.
In this case, given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks. We have taken steps to mitigate the activity.
Less than one tenth of one percent (0.1%) of our PSN, SEN and SOE audience may have been affected. There were approximately 93,000 accounts globally (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts' valid sign-in IDs and passwords, and we have temporarily locked these accounts.
Only a small fraction of these 93,000 accounts showed additional activity prior to being locked. We are currently reviewing those accounts for unauthorized access, and will provide more updates as we have them. Please note, if you have a credit card associated with your account, your credit card number is not at risk.
We will work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet.
As a preventative measure, we are requiring secure password resets for those PSN/SEN accounts that had both a sign-in ID and password match through this attempt. If you are in the small group of PSN/SEN users who may have been affected, you will receive an email from us at the address associated with your account that will prompt you to reset your password.
Similarly, the SOE accounts that were matched have been temporarily turned off. If you are among the small group of affected SOE customers, you will receive an email from us at the address associated with your account that will advise you on next steps in order to validate your account credentials and have your account turned back on.
We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites.
We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.
Update: Another report has recently surfaced that Sony's servers were compromised by NullCrew, however, it appears to be false as Sony Tweeted the following reply: We can confirm that the recent claim that PSN was illegally hacked & that customer PWs and email addresses were accessed is completely false.
Sony PlayStation hacker wololo also posted the following (via wololo.net/2012/09/04/sony-hacked-again/) on the Sony Mobile site issue, to quote: Sony hacked, again?
Two days ago, hacking group "NullCrew" announced on their twitter (twitter.com/OfficialNull/status/242497617630744576) that they have hacked into Sony's owned website sonymobile.com, and that they have gained control of a total of 8 servers operated by Sony. The initial announcement by NullCrew, "Interested in buying database access for one of Sony's sites?
Email me:..."was quickly followed by a "Sony hacked" message as well as a link to a pastebin (pastebin.com/GiXgB6aT) showing what the hackers say are a series of usernames and passwords stored in the sonymobile platform.
The information has been relayed by enough trusted people that this does not seem to be a fake (unlike some similar announcement made a few weeks ago), however the reasons behind the hack are quite unclear. Hacking group Nullcrew were involved in several hacking operations related to the arrest of one of the PirateBay's admins recently, but the Sony hack does not really seem related. Rather, the hackers seemed to imply that this is just some form of punishment because of Sony's lack of concern for the security of their servers. Quoting:
"Sony, we are dearly dissapointed in your security. This is just one of eight sony servers that we hve control of. Maybe, just maybe considering IP addresses are avaliable. Maybe, just maybe it's the fact that not even your customers can trust you. Or maybe, just maybe the fact that you can not do anything correct technologically."
It is not really surprising that Sony is the target of many hackers. Not only, as a global engineering company, are they a "high class" target, they also made lots of enemies a year and a half ago, when they decided to sue George Hotz for his jailbreak of the PS3. That led to them being massively hacked last year, leaking private information about millions of their customers.
What's surprising, on the other hand, is that they still have heavily vulnerable websites lying around (according to some of NullCrew's members, the hack was not "that difficult"), despite the bad hack that happened last year. In a way, it seems to be the main reason these hackers went after Sony, to show publicly that this company does not seem to care at all about their customers' privacy, even after being so dramatically reminded of the importance of securing their systems, last year.
Stay tuned for more PS3 Hacks and PS3 CFW news, follow us on Twitter and be sure to drop by the PS3 Hacks and PS3 Custom Firmware Forums for the latest PlayStation 3 scene updates and homebrew releases!
Problem with that is someone would have to input the wrong User/Pass combo x amount of times when in reality, this is more likely an old list of User/Pass (one Username with an associated Password) attempted, and the successful ones logged for retry with the failed ones binned as unsuccessful.
You're proposal is assuming several attempts are being made on a single account when actually multiple accounts are being attacked once and after a success or fail, forgotten.