

Sony Reports Massive Hack Attempt On Networks: 93,000 Accounts Affected Globally - ssclafani
http://blog.us.playstation.com/2011/10/11/an-important-message-from-sonys-chief-information-security-officer/

======
JoachimSchipper
Apparently Sony doesn't really rate-limit logins (say, per IP), leaving their
customers open to password bruteforce attempts. One would hope - but, sadly,
not expect - that they would learn...

~~~
mootothemax
_Apparently Sony doesn't really rate-limit logins (say, per IP), leaving their
customers open to password bruteforce attempts_

I'd love to know from someone in the business whether bruteforce attempts like
this typically come from a single IP, multiple IPs or a unique IP per account
break-in attempt. If it's anything but the latter, one would really hope a
company as high-profile and as targeted as Sony would be checking more
thoroughly for this kind of stuff.

~~~
lawnchair_larry
It's usually the same IP brute forcing the same or multiple accounts, but
there is no reason that it has to be. It is uncommon to have many hosts brute
forcing a single login.

------
haasted
_These attempts appear to include a large amount of data obtained from one or
more compromised lists from other companies, sites or other sources._

Any guesses as to where the original list of usernames and passwords may have
come from?

~~~
brador
I'd guess a forum hack. Most users use the same password and it's mostly kids
who couldn't care less about password security.

~~~
phsr
I think the parent post is referring to the various Sony hacks that occurred
earlier this year.

~~~
brador
True, my mistake, sorry.

------
daimyoyo
I think the lesson here is twofold: Sony either doesn't get or doesn't care
about user security. And they aren't interested in securing their network
against even the simplest of hacking attempts. I deleted my PSN account long
ago and I recommend anyone still on the network to leave. Sony will continue
to be hacked for the next decade, and while that's unfortunate, it shows
what's important to them. Bottom line: Sony does not care about you enough to
secure their data against hackers. At all. Act accordingly.

~~~
phsr
I think you read the article wrong. Sony is stating that they detected a large
number of sign in attempts, which many failed, but 93,000 succeeded. The
attempts were made using the data (they assume) obtained from the prior hacks
on the various Sony sites. This is not a new breach, but a follow through with
the data from prior breaches, probably due to the affected users not updating
their credentials from the prior hack.

On issue that JoachimSchipper points out [1] is that Sony probably isn't rate
limiting, or throttling login attempts, which _is_ a security issue, as it
opens up the possibility of brute force attacks

[1] <http://news.ycombinator.com/item?id=3102489>

~~~
tibbon
Maybe this doesn't work on something the scale of Sony, but if I detected a
breach, I'd identify all effected users, and automatically force change of all
their passwords (Google does this), making old authentication data stale.

~~~
elliottcarlson
After the prior breach every had to update their password. The real question
is if checks were in place to prevent reusing old passwords.

~~~
cube13
I haven't had a chance to change my password yet. The website that allowed you
to do so had some security issue that forced it to be taken down.

Thankfully, I originally used a throwaway password and don't have a valid
credit card on that account anymore, so I honestly don't care at this point
what happens to it.

------
rkalla
Sony seems to be learning its lesson... it disclosed the hack attempts, locked
the accounts and are looking into securing the login system further as a
result of this.

As an aside, I would point out that XBL hack reports (with purchased/stolen
points) have been running rampant for the last year[4], with Microsoft working
hard to bury the reports. One of the editors at VE3D was hit by it and had a
few thousand Points purchased against their account.

There have been on-again/off-again rumors that the iTunes store has been
compromised for the last year with people reporting apps purchased against
their accounts and Apple saying that no hack has occurred (oddly enough this
all took place after the iTunes store ratings shenanigans in 2010[1][2]).

As a customer I'd rather places disclosed hack attempts to me and what they
were doing to combat it than cover it up, deny it, say it never happens and
everything is safe and then wait for the other shoe to drop.

This reminds me of the LastPass announcement[3] when they detected an
_irregularity_ in the form of a few extra bytes transferred from a source to
destination server where the bytes that arrived were less than were sent, so
they went to defcon3, posted the issue on the block and set forth on
rebuilding and locking the systems down without every actually _confirming_ a
hack... just being safe.

There were a fair share of people irate at the news; I wonder how much of it
was anger at the team (you couldn't really claim they didn't know what they
were doing) or just anger at the fact that something they had set-and-
forget(ed) was now suddenly they had to worry about.

No one ever wants to hear the bad news, but bad news delivered along side "how
we are fixing it" is always a good way to tell if your data is in good hands.

[1] [http://www.engadget.com/2010/07/04/inexplicable-rise-in-
ipho...](http://www.engadget.com/2010/07/04/inexplicable-rise-in-iphone-devs-
app-store-sales-connected-to-i/) [2] [http://www.thebuzzmedia.com/itunes-app-
store-hacked-again-us...](http://www.thebuzzmedia.com/itunes-app-store-hacked-
again-user-credit-card-data-stolen/) [3]
[http://blog.lastpass.com/2011/05/lastpass-security-
notificat...](http://blog.lastpass.com/2011/05/lastpass-security-
notification.html) [4] [http://www.joystiq.com/2011/06/17/report-lulzsec-
hacking-gro...](http://www.joystiq.com/2011/06/17/report-lulzsec-hacking-
group-releases-xbox-live-facebook-login/)

