After 7 days of speculation-ridden downtime, Sony has finally announced that the PlayStation Network (PSN) outage was due to a massive hack that exposed the names, birthdays, email addresses, passwords, security questions, and maybe credit card details, of all PSN users.
At first, the most likely explanation for the PSN’s downtime was a continuation of Anonymous’s DDoS reprisal for Sony’s persecution of PlayStation 3 jailbreaker, George Hotz (geohot). Then, as the outage extended past a few days, and Sony announced that it was “rebuilding” its network due to an “external intrusion,” it became apparent that this was much more than a simple, brute force denial of service attack. Today’s announcement by Sony confirms that the PlayStation Network’s security mechanisms were fully circumvented, and that at least one of its most sensitive databases was breached and accessed sometime between April 17 and 19.
How was the PlayStation Network hacked, though? Ironically, for security reasons, and because Sony is historically very tight-lipped on such matters, we will probably never know the exact attack vector — but we can certainly make some well-educated guesses about how the PlayStation Network was hacked. First, given its proximity to Anonymous’s recent attacks, it’s likely that the database breach is somehow related. It’s safe to assume that Anonymous could have learned about a weakness in the PSN’s security mechanisms, and then passed that data on to another group of hackers — and from there, if the hole was big enough, the attackers might have been able to simply step right in with an SQL injection attack.
Moving forward, there’s no indication of when the PlayStation Network will return. Sony has warned its users to look out for mail or telephone scams, and to lodge a “fraud alert” with credit bureaus like Experian and and Equifax, which should prevent your credit card from being used by the hackers. If you’re a PlayStation Network user, check the PlayStation Blog for more information.
As we move towards a lifestyle that is dominated by cloud-based services like Gmail, Steam, Xbox Live, and Netflix, these attacks will become more and more commonplace. It’s infinitely convenient to have your data all in one place and accessible from any net-connected computer — but likewise, these services represent the juiciest imaginable hacking target. A large database of email addresses is worth millions if sold to a spam baron!