Support NeoGAF

[DevilWillcry]

I dont even remember what password I used for my psn id, this is really shameful for Sony

Right, it's totally Sony's fault that you can't remember your password xD

 

[Metalmurphy]

Yup. Check your inbox.

Nothing. I hope this means they've identified who exactly was compromised and are only mailing those

 

[Edgeward]

Do you mind posting what it says?

.

===================================

PlayStation(R)Network

===================================

Valued PlayStation(R)Network/Qriocity Customer:

We have discovered that between April 17 and April 19, 2011,
certain PlayStation Network and Qriocity service user account
information was compromised in connection with an illegal and
unauthorized intrusion into our network. In response to this
intrusion, we have:

1) Temporarily turned off PlayStation Network and Qriocity services;

2) Engaged an outside, recognized security firm to conduct a full
and complete investigation into what happened; and

3) Quickly taken steps to enhance security and strengthen our
network infrastructure by rebuilding our system to provide you
with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill
as we do whatever it takes to resolve these issues as quickly and
efficiently as practicable.

Although we are still investigating the details of this incident,
we believe that an unauthorized person has obtained the following
information that you provided: name, address (city, state, zip), country,
email address, birthdate, PlayStation Network/Qriocity password and login,
and handle/PSN online ID. It is also possible that your profile data,
including purchase history and billing address (city, state, zip),
and your PlayStation Network/Qriocity password security answers may
have been obtained. If you have authorized a sub-account for your
dependent, the same data with respect to your dependent may have
been obtained. While there is no evidence at this time that credit
card data was taken, we cannot rule out the possibility. If you have
provided your credit card data through PlayStation Network or Qriocity,
out of an abundance of caution we are advising you that your credit
card number (excluding security code) and expiration date may have
been obtained.

For your security, we encourage you to be especially aware of email,
telephone and postal mail scams that ask for personal or sensitive
information. Sony will not contact you in any way, including by email,
asking for your credit card number, social security number or other
personally identifiable information. If you are asked for this information,
you can be confident Sony is not the entity asking. When the PlayStation
Network and Qriocity services are fully restored, we strongly recommend that
you log on and change your password. Additionally, if you use your PlayStation
Network or Qriocity user name or password for other unrelated services or
accounts, we strongly recommend that you change them as well.

To protect against possible identity theft or other financial loss, we
encourage you to remain vigilant, to review your account statements and
to monitor your credit reports. We are providing the following information
for those who wish to consider it:
- U.S. residents are entitled under U.S. law to one free credit report annually
from each of the three major credit bureaus. To order your free credit report,
visit www.annualcreditreport.com or call toll-free (877) 322-8228.

- We have also provided names and contact information for the three major U.S.
credit bureaus below. At no charge, U.S. residents can have these credit bureaus
place a "fraud alert" on your file that alerts creditors to take additional steps
to verify your identity prior to granting credit in your name. This service can
make it more difficult for someone to get credit in your name. Note, however,
that because it tells creditors to follow certain procedures to protect you,
it also may delay your ability to obtain credit while the agency verifies your
identity. As soon as one credit bureau confirms your fraud alert, the others
are notified to place fraud alerts on your file. Should you wish to place a
fraud alert, or should you have any questions regarding your credit report,
please contact any one of the agencies listed below:

Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division,
P.O. Box 6790, Fullerton, CA 92834-6790

- You may wish to visit the website of the U.S. Federal Trade Commission at
www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania
Avenue, NW, Washington, DC 20580 for further information about how to protect
yourself from identity theft. Your state Attorney General may also have advice
on preventing identity theft, and you should report instances of known or
suspected identity theft to law enforcement, your State Attorney General,
and the FTC. For North Carolina residents, the Attorney General can be
contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone
(877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney
General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202;
telephone: (888) 743-0023; or www.oag.state.md.us.

We thank you for your patience as we complete our investigation of this
incident, and we regret any inconvenience. Our teams are working around the
clock on this, and services will be restored as soon as possible. Sony takes
information protection very seriously and will continue to work to ensure that
additional measures are taken to protect personally identifiable information.
Providing quality and secure entertainment services to our customers is
our utmost priority. Please contact us at 1-800-345-7669 should you have any
additional questions.

Sincerely,

Sony Computer Entertainment and Sony Network Entertainment

===================================

LEGAL
"PlayStation" and the "PS" Family logo are registered
trademarks and "PS3" and "PlayStation Network" are
trademarks of Sony Computer Entertainment Inc.
(C) 2011 Sony Computer Entertainment America LLC.

Sony Computer Entertainment America LLC
919 E. Hillsdale Blvd., Foster City, CA 94404

 

[Kyoufu]

Do you mind posting what it says?

EDIT: or I'll just watch my inbox

Exactly the same as the OP.

Nothing. I hope this means they've identified who exactly was compromised and are only mailing those

Hey I thought we were friends

 

[wwm0nkey]

So he sold his $300-$400 Ps3 for like 40 bucks?

He sure showed them!

I tried to tell him to sell it on Ebay to be honest, some people just dont listen when we tell them :/

 

[polyh3dron]

Just got home from working at GameStop....a lot of people seem to want Sony's head for this, got one PS3 trade in because of this too.

If you sell hardware to Gamestop YOU ARE DOING IT WRONG.

 

[Shao Kahn Brewing a Stew]

It begins!

Would be in INDEED hilarious if these people forget to reset their PS3.

 

[NullPointer]

I sure hope this doesn't end up delaying Deus Ex.

 

[PsychoJecht]

A single character is 2 bytes

Do the math.

How do you know how many characters are in a psn account profile?

 

[DevilWillcry]

So he sold his $300-$400 Ps3 for like 40 bucks?

He sure showed them!

Odds are he's going to buy it again too when the service goes back up. Like a junkie to crack. He's a financial genius!

 

[daffy]

.

Ah I see. Thanks anyway

Didn't expect Sony to do that, but it's just the press release

 

[Captain Tuttle]

Pfft. It took me over a year to get approved for this account.

You can't beat the system son.

 

[MThanded]

Would be in INDEED hilarious if these people forget to reset their PS3.

I'm guessing most people don't.

 

[Maxwell House]

A single character is 2 bytes

Do the math.

Yes, but almost all corporate databases are multidimensional. The PSN database probably had an account dimension, a financial info dimension, game data dimension, etc. With each dimension you get an exponentially bigger database as a massive amount of connections need to be created between all the dimensionality.

They get gigantic. Bank and insurance company databases are fucking massive. I don't see why the database Sony used for PSN would be any different.

 

[Jinfash]

Yup. Check your inbox.

I just got one too, but it only contains the same transcript detailed in the OP. Should I be expecting something else any time soon?

 

[Apath]

I tried to tell him to sell it on Ebay to be honest, some people just dont listen when we tell them :/

You should just buy these systems from them for a little over what they would get and sell them yourself on ebay. Profit!

 

[Mithos]

No, the servers are still down at the moment. They'll probably do some sort of system wide password reset when they bring it back online. If they don't, the account management site should let you change your password.

Hope we can change our securityquestion/answer also, or changing you password won't mean much.

 

[angelfly]

This part of the email was interesting

Under Massachusetts law, you have the right to obtain any police report
filed in regard to this incident. If you are the victim of identity theft,
you also have the right to file a police report and obtain a copy of it.

Massachusetts law also allows consumers to place a security freeze on their
credit reports. A security freeze prohibits a credit reporting agency from
releasing any information from a consumer's credit report without written
authorization. However, please be aware that placing a security freeze on
your credit report may delay, interfere with, or prevent the timely approval
of any requests you make for new loans, credit mortgages, employment, housing
or other services.

If you have been a victim of identity theft, and you provide the credit
reporting agency with a valid police report, it cannot charge you to place,
lift or remove a security freeze. In all other cases, a credit reporting
agency may charge you up to $5.00 each to place, temporarily lift, or
permanently remove a security freeze.

 

[Clear]

People need to chill out. CC security codes are explicitly excluded from the list of data potentially compromised.

 

[LM4sure]

holy shit. lol. sony dropped the ball here. game over for them.

 

[Kyoufu]

I just got one too, but it only contains the same transcript detailed in the OP. Should I be expecting something else any time soon?

Nope. There isn't anything else they can say at this point.

 

[Zee-Row]

I'm mad at Sony but not mad enough to stop buying their products. I'll cancel my card tomorrow, i mainly carry cash anyway , i just use the card for internet transactions.

 

[MThanded]

This part of the email was interesting

only if you live in Massachusetts.

 

[Zoe]

Yes, but almost all corporate databases are multidimensional. The PSN database probably had an account dimension, a financial info dimension, game data dimension, etc. With each dimension you get an exponentially bigger database as a massive amount of connections need to be created between all the dimensionality.

They get gigantic. Bank and insurance company databases are fucking massive. I don't see why the database Sony used for PSN would be any different.

This is all assuming the person actually downloaded the entirety of it.

 

[Vestal]

How do you know how many characters are in a psn account profile?

If we go by the sony press release stating that the following was compromised.

Name
DOB
Address
email
Password
PSNID

you can figure it out.. do some math with some extreme cases in each field category and come out with a round about number.. its not that hard.

 

[iammeiam]

So just for the hell of it, I took the least optimized customer data output I could find from a database I work with. Roughly 680,000 customers, their addresses (more than one address for many), their e-mail information, etc. Split over five tables in the database I'm working with. Dumped them into binary output files (bigger than their text counterparts, but I'm aiming to overestimate file size, not under), then zipped up the files in a lazy fashion.

The resulting file is about 184MB, and this is literally the least optimal situation I could come up with. I'm really not seeing how a guy getting 77 million customers' data out of Sony (assuming you didn't have multiple people working in parallel) in the 24 hours or so they had is as unbelievable as some are claiming.

 

[angelfly]

only if you live in Massachusetts.

and I do

 

[sestrugen]

People need to chill out. CC security codes are explicitly excluded from the list of data potentially compromised.

so you are ok with having your address and name out there?

 

[Tom Penny]

People need to chill out. CC security codes are explicitly excluded from the list of data potentially compromised.

If that's true than that is all that matters. Yeah people will get pissed off at other stuff but that would doom Sony. If it spread around that their online service caused X amount of people to get robbed. Forget about it. Toast. That goes for any company.

 

[Schmitty]

I once had my CC on my account, but later took it off about a year ago. Am I still at risk? I'm thinking about getting a new card anyway.

 

[harriet the spy]

the plural of bureau is bureaus in english? :/

 

[RPGCrazied]

Hope Anderson Cooper talks about this.

 

[patsu]

[Alleged Sony email]

Ok... now what's left is to bring up the service.

Quick, I have a tough week at work (Well... last week and this week too). Bought Harry Porter Blu-ray last week, need some new office entertainment this week.

 

[FINALBOSS]

A multidimensional database with 77 million customer entries would be fucking massive in size. I work at an insurance company and our databases are huge, with nowhere near 77 million customer entries.

If it is just a list of names and numbers, than it could be tiny. It depends on how complicated the DB is.

Thank you.

 

[Wario64]

Hope we can change our securityquestion/answer also, or changing you password won't mean much.

In this case, I HIGHLY RECOMMEND you change your email login information. Changing your password won't be sufficient. CHANGE YOUR EMAIL ADDRESS AND PASSWORD

 

[Metalmurphy]

Hey I thought we were friends

Sorry, gotta look after my ass before others

 

[ULTROS!]

so you are ok with having your address and name out there?

Well for me it's ok because my address is a house for sale.

 

[lowrider007]

so you are ok with having your address and name out there?

Yes, I've used my real first and last name in my email address for over a decade and finding my address would be as easy as pie.

 

[Vestal]

Yes, but almost all corporate databases are multidimensional. The PSN database probably had an account dimension, a financial info dimension, game data dimension, etc. With each dimension you get an exponentially bigger database as a massive amount of connections need to be created between all the dimensionality.

They get gigantic. Bank and insurance company databases are fucking massive. I don't see why the database Sony used for PSN would be any different.

yes, however in the end if the hacker was able to to simply execute queries for the data, in the end the data is simple text entries.

 

[MThanded]

So just for the hell of it, I took the least optimized customer data output I could find from a database I work with. Roughly 680,000 customers, their addresses (more than one address for many), their e-mail information, etc. Split over five tables in the database I'm working with. Dumped them into binary output files (bigger than their text counterparts, but I'm aiming to overestimate file size, not under), then zipped up the files in a lazy fashion.

The resulting file is about 184MB, and this is literally the least optimal situation I could come up with. I'm really not seeing how a guy getting 77 million customers' data out of Sony (assuming you didn't have multiple people working in parallel) in the 24 hours or so they had is as unbelievable as some are claiming.

thisisneogafdude.gif

 

[Hex]

holy shit. lol. sony dropped the ball here. game over for them.

<----------------------------------------

 

[Jinfash]

This part of the email was interesting

Wait, the email I received doesn't have that part lol. Regional specific perhaps?

 

[FINALBOSS]

so you are ok with having your address and name out there?

Your name and address already is.

And by out there, I'm sure you mean "on the internet, for people to download" and again I say...it already is.

 

[adversesolutions]

Let's play watch the Sony stock price.

http://www.nikkei.com/markets/company/chart/chart.aspx?scode=6758&ba=1&type=day

 

[Rebel Leader]

so you are ok with having your address and name out there?

Believe it or not... There are 2 address to that address I live at =3

When I order pizza they go to the wrong place.

 

[MThanded]

and I do

you planning on filing?

 

[Maxwell House]

yes, however in the end if the hacker was able to to simply execute queries for the data, in the end the data is simple text entries.

True, they could just do a query dump to a text file and have a much smaller file. I am not sure what the hackers were able to do while connected.

 

[Oppo]

The resulting file is about 184MB, and this is literally the least optimal situation I could come up with. I'm really not seeing how a guy getting 77 million customers' data out of Sony (assuming you didn't have multiple people working in parallel) in the 24 hours or so they had is as unbelievable as some are claiming.

could you give that to me in Libraries of Congress (LoC) please

or football fields/volkswagons, you know something usable

 

[RustyNails]

I sure hope this doesn't end up delaying Deus Ex.

If it does, small furry critters in my front yard will have to pay dearly

 

[RyanDG]

People need to chill out. CC security codes are explicitly excluded from the list of data potentially compromised.

You do realize that it is still possible to use a CC without the security code at a lot of retail situations, right?