David Baxter PhD
Late Founder
Questions and Answers on the Sony PSN Hack
F-Secure Antivirus Blog
April 27, 2011
Q: What is PSN?
A: It's the Sony PlayStation Network, an online gaming network.
Q: What devices can access it?
A: Sony PlayStation 3 (PS3) Sony PlayStation Portable (PSP). You can also use your PSN login on the Sony discussion forums.
Q: If I have a Playstation 3, do I also have a PSN account?
A: Not necessarily. PS3s and PSPs work fine without an Internet connection. However, the majority of users do use the online access feature and thus have created an account.
Q: Why does a gaming network have credit card information?
A: PSN is also a media delivery network. Users buy games, movies and music from there with their credit cards.
Q: How long has PSN been down?
A: Since 20th of April, 2011.
Q: What was stolen?
A: Sony believes that the stolen information includes name, address, e-mail address, birth date, password, and handle of all PSN users. They also believe credit card numbers may have been stolen, but not their security (CVV) codes.
Q: How many accounts were stolen?
A: Up to 77 million. Which would make this one of the biggest data breaches ever.
Q: What should end users do?
A: If you have used the same username/e-mail address with the same password in some other service, change the password now. When PSN comes back online, change your password there as well.
Q: What should end users do regarding their credit cards?
A: They should follow their credit card bills careful for any signs of fraudulent purchases. If you see any signs of fraud, report it to your credit card issuer.
Q: What kind of credit cards do you recommend for online use?
A: In general, credit cards are safer than alternatives, as long as you carefully follow your bills. We especially like systems such as the one provided by Bank of America, where you can generate temporary credit card numbers for online use. Citibank and Discover offer the same or similar technology.
Q: Who hacked PSN?
A: We don't know.
Q: Was it "Anonymous"?
A: Anonymous has recently launched several attacks against Sony to protest Sony's tactics (which include suing homebrew developers, harassing AIBO hackers, shutting down emulator companies, shipping rootkits, et cetera). However, Anonymous has announced they are not behind this breach.
Q: What's the connection to Rebug?
A: Rebug is a custom firmware for PS3 that enables access to lots of features that are otherwise unreachable. In particular, recent versions made it possible for a normal PS3 to look like a developer unit. In some cases, this could be used to steal content from PSN shops for free. While the Rebug hack could be used to steal credentials and credit cards numbers from the PS3 unit it's running on, there's no obvious way it could be used to steal information on a larger scale. Rebug developers do not believe it was connected to the breach in any way.
Q: So, this could never happen on the gaming networks of XBOX and Wii, right?
A: We wouldn't bet on that.
Here's a link to Sony's official Q&A.
F-Secure Antivirus Blog
April 27, 2011
Q: What is PSN?
A: It's the Sony PlayStation Network, an online gaming network.
Q: What devices can access it?
A: Sony PlayStation 3 (PS3) Sony PlayStation Portable (PSP). You can also use your PSN login on the Sony discussion forums.
Q: If I have a Playstation 3, do I also have a PSN account?
A: Not necessarily. PS3s and PSPs work fine without an Internet connection. However, the majority of users do use the online access feature and thus have created an account.
Q: Why does a gaming network have credit card information?
A: PSN is also a media delivery network. Users buy games, movies and music from there with their credit cards.
Q: How long has PSN been down?
A: Since 20th of April, 2011.
Q: What was stolen?
A: Sony believes that the stolen information includes name, address, e-mail address, birth date, password, and handle of all PSN users. They also believe credit card numbers may have been stolen, but not their security (CVV) codes.
Q: How many accounts were stolen?
A: Up to 77 million. Which would make this one of the biggest data breaches ever.
Q: What should end users do?
A: If you have used the same username/e-mail address with the same password in some other service, change the password now. When PSN comes back online, change your password there as well.
Q: What should end users do regarding their credit cards?
A: They should follow their credit card bills careful for any signs of fraudulent purchases. If you see any signs of fraud, report it to your credit card issuer.
Q: What kind of credit cards do you recommend for online use?
A: In general, credit cards are safer than alternatives, as long as you carefully follow your bills. We especially like systems such as the one provided by Bank of America, where you can generate temporary credit card numbers for online use. Citibank and Discover offer the same or similar technology.
Q: Who hacked PSN?
A: We don't know.
Q: Was it "Anonymous"?
A: Anonymous has recently launched several attacks against Sony to protest Sony's tactics (which include suing homebrew developers, harassing AIBO hackers, shutting down emulator companies, shipping rootkits, et cetera). However, Anonymous has announced they are not behind this breach.
Q: What's the connection to Rebug?
A: Rebug is a custom firmware for PS3 that enables access to lots of features that are otherwise unreachable. In particular, recent versions made it possible for a normal PS3 to look like a developer unit. In some cases, this could be used to steal content from PSN shops for free. While the Rebug hack could be used to steal credentials and credit cards numbers from the PS3 unit it's running on, there's no obvious way it could be used to steal information on a larger scale. Rebug developers do not believe it was connected to the breach in any way.
Q: So, this could never happen on the gaming networks of XBOX and Wii, right?
A: We wouldn't bet on that.
Here's a link to Sony's official Q&A.
