Sony Protects 93,000 Users From Password Attacks

Sony locked out 93,000 users on the Playstation Network, Sony Entertain Network and Sony Online Entertainment services after detecting mass log-in attempts into individual accounts.

Attackers attempted to use a list of username and password combinations obtained from an unknown source to try to access PSN, SEN and SOE accounts, Philip Reitinger, Sony’s new chief information security officer, said in a statement posted on the PlayStation Blog. The attack affected less than a tenth of a percent of all PSN, SEN, and SOE users and the majority of the log-in attempts failed, according to the statement.

Max Pain For Users

Sony locked 93,000 accounts because the attackers managed to successfully login to those accounts. The breakdown was approximately 60,000 PSN and SEN and 33,000 SOE accounts and the attempts occurred between 7 October and 10 October, according to Reitinger. Only a “small fraction” of those compromised accounts had any activity before Sony managed to lock them down, he said.

“We are currently reviewing those accounts for unauthorised access, and will provide more updates as we have them,” said Reitinger, adding that even if the users had credit card numbers associated with the account, they were not at risk. The company will work with users who report unauthorised purchases made through the account.

A “large amount of data” obtained from one or more compromised user lists obtained from other companies, sites or sources were used in the attack, according to Reitinger. The fact that the “overwhelming majority” of login attempts failed was an indicator that the list came from an external source and not Sony, he said.

Considering the number of username and password information that has been dumped this year alone, there are a lot of lists available for criminals looking for them. Analysis on password information stolen and leaked from sites like Gawker has shown that password-reuse is rampant and a big security issue for online services.

Attackers are simply working on the assumption that people typically use and reuse the same account names and passwords across multiple personal online accounts, according to Geoff Webb, senior product marketing manager at Credant Technologies. Considering that Sony had to lock down 93,000, it appears that it “was a good assumption to make”, Webb told eWEEK.

No Fair Play For Sony

Even though Sony has clearly reacted quickly to stop this potential breach, users may simply see the incident as yet another Sony problem without stopping to consider who may be to blame, Webb said. “That makes it a no-win situation for Sony,” he added.

Sony has reached out to affected users to prompt them to reset their password, according to Reitinger, who reminded users never to select a username-password combination that is associated with other online services of sites.

“We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account,” Reitinger said.

In April, unknown attackers breached Sony’s Qriocity video and music service, PlayStation Network and Sony Online Entertainment and stole information from over 100 million accounts. The company shut down the services for over a month and a half in order to rebuild the systems and came under fierce criticism for security gaps, such as not having a CISO or running updated software on the servers. Smaller attack groups also capitalised on Sony’s woes, attacking and dumping data from other Sony properties in May.

As more and more content and services move online, so the number of digital identities consumers need to manage keeps growing, but identity management has not kept up, according to Webb. The industry still relies on a username and a password, a “paradigm created in the 1950s”, which is a “terrible way to authenticating”, Webb said.

“We’re stuck with it because, for now at least, it’s cheap and well understood by users and developers,” said Webb.