A series of network intrusions has crippled the online services of a worldwide video gaming giant and exposed sensitive information about millions of the corporation's user accounts.
Over a period of four days in April, Sony Corporation (NYSE, TSE) was the victim of at least two network intrusions that exposed over 100 million user accounts to malicious activity.
Between April 16-17, Sony Online Entertainment, Sony's MMORPG publishing arm and the operator of the venerable Everquest series as well as several other online games, experienced a network attack that compromised an estimated 24.6 million SOE user accounts.
This attack was followed by a similar attack on Sony's Playstation Network and Qriocity services sometime between April 17-19. During this intrusion, attackers gained access to an estimated 70 million PSN user accounts.
Additionally, Sony reports that an estimated 23,400 bank and credit card accounts were compromised by the SOE attack, and up to 10 million credit card accounts were possibly compromised by the PSN attack.Sony was reportedly unaware of either attack until April 20, when Sony brought down the Playstation Network to address "maintenance" issues. On April 22, Sony admitted via an update on the Playstation blog that the extended PSN downtime was due to security concerns following an external intrusion.
A second update on April 26 released details about the attack, including the first confirmation by Sony that user account data had been compromised.
Sony maintained further silence on the issue until a May 1 press conference, during which Sony revealed that a known but uncorrected vulnerability existed within Sony's network infrastructure that allowed malicious access to Playstation Network and Qriocity accounts. Sony reportedly remained unaware of the Sony Online Entertainment attack until May 1, three days after an April 28 statement in which Sony maintained that SOE user data, which is kept separate from PSN user data, was not compromised by the PSN attack and remained secure.
After bringing down Sony Online Entertainment services on the morning of May 2, Sony released a statement confirming some details of the SOE attack and assuring SOE users that no credit or debit account information was compromised beyond a 2007 database of approximately 12,700 non-US customer credit and debit card numbers and expiration dates and approximately 10,700 further European bank account numbers. Sony has not yet revealed details regarding the vector of the SOE attack.
Data exposed to hackers by the attacks includes accountholder names, addresses, email addresses associated with the accounts, and account passwords. Additionally, Sony reports that an estimated 23,400 bank and credit card accounts were compromised by the SOE attack, and up to 10 million credit card accounts were possibly compromised by the PSN attack.
The identity of the Sony hackers currently remains unknown, as does whether the two intrusions are related. Noted guerilla cyber-activists Anonymous have reportedly denied any official involvement in the Sony attacks.
Current and former Playstation Network and Sony Online Entertainment users who used a credit or debit account to pay for Sony online services are advised to immediately contact their card issuer and request a card with a new account number be issued in their name. Additionally, users are advised to immediately change the passwords of potentially compromised email accounts, monitor potentially compromised debit or credit accounts for suspicious activity, and immediately file fraud alerts with the three major U.S. credit bureaus if fraudulent activity is found.
Both Sony's Playstation Network/Qriocity and all Sony Online Entertainment services currently remain unavailable.