Major Data Breach: 70 Million PSN Accounts Stolen


« For Crying out Loud... Password Protect Your Wireless Router! | Main | The Latest on the PSN Break-in and Service Restoration »

04/28/2011



Major Data Breach: 70 Million PSN Accounts Stolen

Kevin R. Smith
Co-Editor


On the heels of the Epsilon data breach comes one of equal, and perhaps greater, severity: Sony's PSN (PlayStation Network) had what they're calling, an illegal and unauthorized intrusion into our network.

The gang at GamrFeed have more on the PSN Data Breach Details, including that, There is a laundry list of compromised personal information, including the loss of logins, passwords, street addresses, and purchase histories. Even credit card information could be at risk

Bleh.

Being a gamer myself, and a PlayStation owner, too, my first reaction was a sigh and a feeling of resignation. "This kind of stuff happens," I thought to myself.

Then, I read deeper into the PSN Blog about the Data Breach.

[Editor's Note: the following is a verbatim quote from Sony's blog that has been re-formatted for easier readability than their multi-line lawyereese. Bold added for emphasis is ours.]

We believe that an unauthorized person has obtained the following information that you provided:
  • name
  • address
    • city
    • state
    • zip
    • country
  • email address
  • birthdate
  • PlayStation Network/Qriocity password
  • [PlayStation Network/Qriocity] login
  • handle/PSN online ID
"It is also possible that your profile data, including
  • purchase history
  • billing address
    • city
    • state
    • zip
  • your PlayStation Network/Qriocity password security answers
may have been obtained.

"If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.

"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

"If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained
.

Now why the heck does any of this matter?

It's just a gaming network, right? Who cares what games I've bought or when!

Not so fast there, Sparky.

The real danger here isn't even in the possibility of the credit card info having been stolen. (Look, if there's a possibility it was stolen, just call it what it is and say the data was stolen, ok?)

The real danger is for those folks who use the same usernames and passwords in multiple places, like at PSN and for their Hotmail account--or any other, for that email account for that matter. Now with that, cyber thief can dig into your email account and from there easily spring board to bank accounts and all sorts of other places.

How will they find me amongst 70 million accounts?

Forget about digging through them by hand. Think of it happening programmatically. Just trust me on this one: it's easy to do.

It's trivial for a skilled programmer to grab the information they've gleaned from your PSN account and use it to try to login to your email account. From there, getting to your bank accounts and whatnot isn't all that hard. (Who hasn't used a "reset password" link at a website that gets sent to your email?)

Alright, what-if's aside, aside from Sony's recommendations, which only take part of the problem into account, here's what you should do immediately if you're on the Sony PSN:

1. Change username and password especially on bank and email accounts where they're the same as on PSN Keep the bad guys out of your email... and bank.
2. Change your security questions/answers anywhere else you use the same questions/answers as on PSN Make it harder for someone to reset your bank/email/other password and steal from you (or steal your info.)
3. Change your PSN security questions/answers on PSN Make it harder for someone to reset your PSN account and gain access to it.
4. Change username and password on PSN Make it harder for someone to reset your PSN account and gain access to it.

The last important take-away from this data breach is that you should already assume the data is in the hands of a spammer and cyberthief. 

As such, you need to expect that you'll receive many extremely targeted spearphishing emails. After all, according to Sony's own statement on the breach, the thieves probably have your name, email, credit card billing address, and date of birth.

What's to stop them from sending, "Happy Birthday!" emails offering to give you something free in exchange for your credit card info (for age verification only, of course...)?

Or for that matter from sending you, "Your data was stolen. Please click this link to reset it. Oh, and enter your new payment information while you're there, too?"

Or, how about, "Your data was stolen. We need your social security number now to ensure you're who you say you are."

The number of different ways this information can be abused is just about limitless, and while your antivirus software or Internet security suite can help you avoid a phishing attack to some extent, the best way to avoid them is to be smart about the links you're clicking and to look and really read the web site addresses you're going to.

The age of the spearphishing attack is upon us. Your information's security is, ultimately, no one's responsibility but your own.

Comments

You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.