Sony has finally come clean on the extent of the PlayStation Network hacking and the reasons for the subsequent (almost) week long downtime.
In a statement issued on the official PlayStation blog, Sony finally provided detailed information, after critics attacked the company for lack of transparency during this whole ordeal.
Sony has now discovered unauthorized access to PSN user information from the 17th to 19th of April. After the discovery of the security breach several days later, Sony then took the action of shutting down the network, while engaging the services of an outside security agencies to investigate the matter, while "re-building" the PSN system for better security.
From the statement, Sony refers to "an unauthorized person", suggesting that the company believes this may have been the work of just one person. Unfortunately, all information stored on PSN may have been accessed or even downloaded by this one person during the three days that the entire system was compromised, information including user's passwords, email and physical address and birthdays. While Sony acknowledges that "there is no evidence at this time that credit card data was taken", they also warn users to be weary, as the possibility still exists that the hacker has indeed managed to get credit card information as well.
Users are encouraged to change their PSN and Qriocity password once the service resumes in a day or two, and to be on the lookout for related phishing scams, perpetrated by scammers who may now have some of your personal information, and using that to obtain more information.
With over 75 million PlayStation Network and Qriocity accounts in existence, this may in fact be one of the largest online security breaches in history, especially if credit card information was also accessed or downloaded. Serious questions will be raised about the secureness of the PlayStation network infrastructure, and whether Sony withheld information regarding the information theft following their initial discovery of the breach almost a week ago.
Update (April 28): Sony have provided further clarifications on the hack on their blog. Sony are now saying that all credit card information was encrypted, and that they don't think there's any evidence of credit card info being stolen, although they cannot be absolutely certain (the credit card's verification, or CVC number, is not requested or stored by Sony, so this has not been compromised). However, all user information were not encrypted, and this has been accessed. Sony did not provide more information in regards to passwords, whether they were stored with encryption, one-way hashing, or as plain text, and they are still advising user to not use the same password ever again (which means changing the password for accounts on other websites and services that use the same password). Sony have said they are working on a system which will force *all* PSN users to update their password once PSN is up again.
As to when the PSN will be back up again, Sony are indication that it will be back online, at least with partial functionality, sometimes around next Tuesday or Wednesday.
A FAQ on the hack has been posted here.
Do you think Sony should have designed the PSN to be more secure to prevent a single security breach exposing the information of 75 million users, including possibly credit card details? Post your opinion in this news article's comments section, or in this forum thread:
http://forum.digital-digest.com/showthread.php?t=94794