Sony PlayStation network down, hacked

The PlayStation Network (PSN) remains down after hackers broke into the network stealing user data from up to 77 million accounts.

In the early hours of April 26 Sony posted a press release on the Australian Playstation website announcing that the PlayStation Network (PSN) and the Qriocity service user account information were compromised by an “external intrusion” into the Sony Playstation network between April 17 and April 19 2011. 

Users of the network were already well aware of an outage which had affected access to the PSN over the Easter break, only days after the release of a number of title updates. Understandably, regular gamers were furious.

The PlayStation Network is a overlay chat network which allows gamers communicate with each other, as well as access new downloads and share user generated media, such as recorded sessions. Qriocity offers subscribers on-demand music and movies over the Internet. Relied upon by gamers to communicate tactics during game play and distribute updates, the unavailability of this service significantly reduces effective game play.

These services have been unavailable since April 20 for all countries.

In the press release which appears as the top news item on the website, Sony have provided a timeline and listed the actions they are taking to resolve the issues. For the time being it appears that Sony are still unsure of exactly what data was compromised. A number of media outlets, the twittersphere and comments on facebook have been damning of the length of time the network has been down.

“We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorised intrusion into our network. In response to this intrusion, we have:

  1. Temporarily turned off PlayStation Network and Qriocity services;
  2. Engaged an outside, recognised security firm to conduct a full and complete investigation into what happened; and
  3. Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.”

Sony have also provided a FAQ for users with more specific questions, and claim to have been pro-actively contacting users who Sony believe have had their personal details compromised. There are between 70 and 77 million registered PSN users.

“We are sending out e-mails directly to these users to their e-mail address registered on the PS Network accounts. Also, we have posted web notices, and additional necessary procedures have been followed by each region.” Sony continued.

Subscribers in Australia with further questions are encouraged to contact Sony on 1300 365 911, and a number of gaming forums have seen hundreds of posts since the PSN was taken off line. While investigations continue and the network remains down, Sony believes there is no evidence that credit card data was taken but refused to rule out the possibility that financial data was compromised.

But late Wednesday afternoon users on Australian gamer forum weren’t so sure. Several posts made claims of fraudulent credit card activity.

Local banks have advised customers who suspect their credit card details have been compromised to contact the bank immediately. Sony also made reference to, a website created by the Australian government to help educate the public about scams.

Sony are very aware that outages which affect large numbers of users become an immediate target for scammers and identity thieves unrelated to the initial compromise. “Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking.”

At time of writing none of the major security vendors had reported SPAM or malware attacks specifically targeting Sony Playstation users.

Read more on Application security and coding requirements