Are You on PSN? Might Want to Cancel Some Credit Cards…

So, it’s been about a week of PSN being down.

This is an "Online Webcomic" called "Pennies Arcade" discussing the topic!

The story seems to be that at some point in mid-April, someone hacked the Playstation Network. In response, Sony just straight shut down PSN to deal with it. They didn’t tell anyone for a week why it was down, which is super nice of them. They’ve just recently announced that they hope to have it back up in about a week. Oh! Also, if you’ve ever bought anything on PSN, your credit card info, birthdate, and (presumably) secure password might have been stolen. But they don’t really know that’s true so they figure eeeeh they’ll let you deal with that as you will. And maybe not really tell you in any way, shape, or form! People are reporting that they’ve not received any sort of email notice even now of PSN being down, much less that they might have to get a new card number. They did put an update on their blog, though.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.

Of course, Sony only recently released the PSP Go, a device that entirely depends on PSN for all of it’s content. Hope you didn’t buy one in the past week, because it’s a brick. And I mean, frankly, I guess I’d recommend not ever buying one because get this: PSN apparently isn’t that stable or secure a service!

I think this would rile a bit less if they hadn’t simply been mute for a week about it. They probably hoped it was something they could resolve in a weekend and then pretend was some sort of routine downtime.

Edit: I just saw a great write-up about this on Eurogamer.

The pull quote?

The whole notion that password details have been taken defies belief. There’s a reason that most internet sites can’t tell you what your own password is and can only reset it – it’s because the server itself doesn’t actually store it at all. Your chosen password is hashed when it’s first transmitted, and only this checksum is stored. When you enter your login, the password is hashed again and compared to what is on the system – if we have a match, you are granted access.

In short, there is no actual need whatsoever for your password to be stored server-side at all. Sony’s statement suggests that it was actually storing sensitive information in plain text format, which defies belief. The only other explanation is that hackers only got access to the hashes and may have compromised a small minority of passwords by running this data through something like a dictionary look-up. However, from the tone of Sony’s apology this does not appear to be the case.

Seriously, get your shit in order and avoid suspicious requests, people who use PSN. Name and address are enough for a clever fraud, much less the extra shit Sony may have unnecessarily made vulnerable.