

Hackers Claim to Have 2.2 mil PlayStation Users’ Card Data - ChrisArchitect
http://bits.blogs.nytimes.com/2011/04/28/hackers-claim-to-have-playstation-users-card-data/

======
marshray
Anyone else find it a little surreal when the New York Times is reporting "...
and we called this hacker guy, and he hangs out on IRC with these other hacker
dudes, and one of em was saying, like, 'yeah they totally DLed the shit outta
that database with 2.2M CCs ' ..." ?

------
joshklein
This comment struck me as strange:

“Sony is saying the credit cards were encrypted, but we are hearing that the
hackers made it into the main database, which would have given them access to
everything, including credit card numbers,” said Mathew Solnik, a security
consultant with iSEC Partners who frequents hacker forums to track new hacks
and vulnerabilities that could affect his clients."

I am by no means a security expert (let alone novice) - though I know what
words like "salt" and "hash" mean - and this seems to my layman ears like a
gross distortion of the threat. If their encryption was approached properly,
Mr. Solnik's comment makes no sense at all; don't the crackers just have a
huge database of gobbledygook (assuming Sony approached their encryption
intelligently)?

This is not a rhetorical comment - I would be interested to hear from our
resident HN security gurus on the actual threat to Sony customers.

~~~
mcav
I'm no expert, but Sony must be able to decrypt the card information in order
to use it to process payments. So even if the card numbers were encrypted,
it's possible hackers could obtain the passkey for decrypting the data, if it
was also stored on a compromised server. (Generally speaking. I don't know
what happened here.)

------
rkalla
Another link talking about the story, with screenshots from some discussions
online: [http://www.neowin.net/news/psn-database-with-22-million-
cred...](http://www.neowin.net/news/psn-database-with-22-million-credit-card-
details-up-for-sale)

------
gfodor
$1 on each credit card. Just like they did in Superman 3.

------
mishmash
That 2.2mil number is most certainly only a small subset. 77 million total
accounts, but only 2.2 attached to a card?

Doesn't sound right to me.

~~~
lawnchair_larry
PSN was free, so most wouldn't have cards attached. The 77 million figure will
also be inflated because a lot of people had multiple accounts. 2.2M doesn't
seem too unreasonable.

------
rkon
According to the Ponemon Institute's study last year, the average cost of a
data breach that results from a criminal attack is $318 per compromised
record. Even if we only count the 2.2 million credit card numbers supposedly
stolen, that's ~$700 million. And Sony has already lost over $10 million in
revenue due to the outage.

All the articles circulating recently have counted all 77 million PSN user
accounts in their calculations of the breach's cost, which comes out to $24
_billion_... lol

------
vidiviciveni
If anyone is interested in some of the background of what happened:

"The Sony PS3 console was hacked, or more appropriately "jailbroken", by
iPhone hacker, Geohot. He managed to reverse engineer his own PlayStation 3 to
run homebrew applications on it. He then later released the method to the
public through his site, geohot.com. Sony responded with a lawsuit and
demanded social media sites, including YouTube,[citation needed] to hand over
IP addresses of people who visited Geohot's social pages and videos.

PayPal has granted Sony access to Geohot's PayPal account,[citation needed]
and the judge of the case granted Sony permission to view the IP addresses of
everyone who visited geohot.com."

<http://en.wikipedia.org/wiki/George_Hotz#Sony_lawsuit>

~~~
eitland
I definitely think these two cases are related, however I haven't seen any
hard evidence yet. Have I missed something?

~~~
th0ma5
No, I don't think you missed anything, I haven't seen any evidence. In
thinking it though, you may not be considering a case where Sony had _all
kinds_ of problems, and these things both happened independently.

