Earlier today, Sony was forced to bring down the Sony Online Entertainment services and unfortunately, they had good reason to do so.

It has been confirmed that SOE suffered a similar security breach to the one that hit the PlayStation Network last week: around 24.6 million accounts, including 12,700 non-U.S. credit or debit card numbers and expiration dates, have been stolen. The theft occurred between April 16 and 17 and Sony's statement is as follows:

"This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands, and Spain."

So the good news is that the information comes from 2007 and secondly, there's no evidence of stolen American credit or debit card numbers. However, hackers obtained plenty of info from those 24.6 million compromised accounts, such as names, addresses, e-mail addresses, birth dates, genders, phone numbers, login names, and passwords. SOE did mention that the password data is stored in hashed form and not plain text.

SOE has said they will add 30 days of free game use to current customers, and they will also offer a one-for-one match of free game time for each day that servers are offline. Hopefully, they won't be down for as long as the PSN…that would be bad.

Subscribe
Notify of
70 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Jawknee
Jawknee
9 years ago

I would like to if Geohot's exploit make this possible.

tayizfire
tayizfire
9 years ago

wasn't SoE just boasting the other day about how there servers were seperate …and there audience had nothing to worry about lmaoooo talk about a foot in the mouth

Jawknee
Jawknee
9 years ago

Not sure, but they are separate servers so who ever did this was determined to hurt the company as many ways as possible.

JMO_INDY
JMO_INDY
9 years ago

Son Of A Bitch…

Dreno
Dreno
9 years ago

Damn….

So are psn and soe are seperate?

Cause id hate to have to worry about my personal info again…

friction
friction
9 years ago

Hahaha, yea they are, SOE (Sony Online Entertainment) is for their online pc games and dc universe, I believe. I think Everquest is their biggest game, not sure though.

friction
friction
9 years ago

Damn someone isn't a fan of sony lmao.

Jed
Jed
9 years ago

Damn man, kick em while they're down. These hackers are cowards. Hope Sony can catch the bastards.

Robochic
Robochic
9 years ago

Man that sucks, thank goodness I don't use a cc online 🙂 but I wonder about my 100 bucks PSN amount ? hmmm I bet it's all gone 🙁
DAMN U HACKERS, I hope they find you….

WorldEndsWithMe
WorldEndsWithMe
9 years ago

your money is safe.

WorldEndsWithMe
WorldEndsWithMe
9 years ago

Oh, the humanity.

Dreno
Dreno
9 years ago

Ok, sweet dea.

But damn, sony can't seem to catch a break.

Just call mcclain from die hard, we seen what he did to timothy olyphants hacker character in live free or die hard.

Can I get a yippy-ki-a mother f**ker.

The Doom
The Doom
9 years ago

This is more than just stealing money. Someone is REALLY out to get Sony.

jimmyhandsome
jimmyhandsome
9 years ago

This is starting to make my blood boil.

Hopefully no non-US SOE members took Highlander's word for it that their servers being down was just preventative "patching" as he said earlier today. He'd have you thinking your CC info was safe.

Ben Dutka PSXE
Ben Dutka PSXE
9 years ago

See, that right there might be a reason why you get some flak. What's the point of calling out other members?

If you want to be pissed off and voice your opinion, fine. That's what comments are for. But really…name-dropping to purposely cause personal disputes? You're better than that.

Lord carlos
Lord carlos
9 years ago

Good!
Let the anger flow.
With each passing moment you become more my servant.
Oh i'm afraid the deflector shield will be quite operational when your friends arrive!
HA HA HA.

thj_1980
thj_1980
9 years ago

So can you take over all of our minds when we are angry?

bearbobby
bearbobby
9 years ago

Heh, join the Darkside. We have cookies. 🙂

FatherSun
FatherSun
9 years ago

@Lord, Stop it Pal…patine.

Imagine VII, VIII and IV! Or do you consider it over?

jimmyhandsome
jimmyhandsome
9 years ago

@ Ben, you're probably right, I am better than that. Unfortunately I'm also pretty stubborn, which is usually my downfall. And lets be honest, I'm going to catch flak either way. I know how some members operate. It's tough for me to be called out and belittled in the last thread without saying something. My apologies to you either way, I know you like to run a tight ship with no nonsense.

@ Lord Carlos, you take your avatar and PSX ID to a whole new level. And I like cookies. Preferably no-bake oatmeal raisin.

Clamedeus
Clamedeus
9 years ago

Waiiit… What kind of cookies are we talking about here?

Underdog15
Underdog15
9 years ago

To give him credit, this is one of those instances he said "probably". He also mentioned there's no way of being certain…

It's not really fair to only quote someone on what you want to quote. I also don't think it's fair to never assess the whole of a post. It's not fair.


Last edited by Underdog15 on 5/2/2011 10:13:37 PM

TheHighlander
TheHighlander
9 years ago

See, that's the difference between you and I Jimmy, I don't need someone else to point out any errors or mistakes, I stand up and say if I've made one.

As it happens, my post was perfectly correct.

I said this: "Well, I'm thinking this is either a case of them finding a big known vulnerability in their systems ,that is known to have been exploited, so they have to take things down immediately and fix it…Or someone planted a back door in their system…Or someone was still in their system…Or someone planted a virus/trojan of some kind during the main intrusion."

In other words whatever the reason for the outage it was undoubtedly related to the PSN hack.

Sony's engineers and the third party consultants were conducting a review of SOE's systems as part of the security check on Sony's networks after the PSN hack, and they discovered the problem. Rather than it being a simple case of the same or similar vulnerability requiring patching (although I'm certain that is required also, because the same vulnerability was almost certainly exploited in both cases), it seems as though the SOE hack actually pre-dates the PSN hack. In fact they may have been part of the same attack, and SOE was used as a stepping stone to access PSN. The attackers will have gained knowledge of the system configuration of Sony's servers and perhaps even used that to attack PSN.

You know, now I'm sure about you. thanks for making it easy to be sure.

TheHighlander
TheHighlander
9 years ago

Too many thoughts, too few sentences….

Apparently, Sony's engineers and the third party consultants were conducting a review of SOE's systems as part of the security check on Sony's networks after the PSN hack. During that system audit they discovered the problem. Rather than it being a simple case of the same or similar vulnerability requiring patching (although I'm certain that is required also) they found that SOE had also been hacked. Significantly SOE was hacked the day before PSN was. In fact this may have been part of the same attack, with the successful attack on SOE used as a stepping stone to access PSN. The attackers may have gained knowledge of the system configuration of Sony's servers and perhaps even used that to attack PSN.

I'd also add, that it's interesting that SOE didn't know of the attack, but PSN detected an attack on it while it was in progress. It's interesting because SOE has been in the online game for a logn time now and has good experience with building robust and secure systems. Yet it was the attack on PSN that was detected and foiled, where the attack on SOE was not detected until later.

Unfortunately the attack on SOE more closely matches the norm because most organizations that have been hacked don't know about it, and many never find out. Those that do seldom report the matter long after the fact.

Danny007
Danny007
9 years ago

You guys should just give me your credit card info. I'll keep it safe. 😉


Last edited by Danny007 on 5/2/2011 8:23:42 PM

Excelsior1
Excelsior1
9 years ago

1 step forward 3 steps back for sony. the past couiple of weeks will huant sony for years to come. my god just brutal.

Phoelix
Phoelix
9 years ago

Wow.

I wonder if they will publish specifically how the hacker(s) got in (if they ever find out).

TheHighlander
TheHighlander
9 years ago

Sony more or less already has done just that. It's been reported that the hackers used known vulnerabilities in the Apache and/or Linux versions that Sony was using. They haven't revealed the specific vulnerabilities, or how they were exploited, but to be honest, I would be surprised if they had.

Phoelix
Phoelix
9 years ago

Where is this report you've read?

TheHighlander
TheHighlander
9 years ago

Sony (actually Kaz Hirai) stated during their big PSN press conference that the attackers used a known vulnerability in the web-application platform Sony uses.

A quick bit of online research will show you via various sources that Sony uses Linux and Apache for the web-application server element of the PSN and SOE networks. I won't name the web sites as many of them are frequented by the kind of person that hacks a network for fun, and I see no point in promoting them.

A huge number of successful attacks each year are committed against software with one or more known vulnerabilities. More often than not, the vulnerability has been patched by the developers, but the admin of the system hasn't kept their patching up to date, leaving them open to attack.

TheHighlander
TheHighlander
9 years ago

Sony (actually Kaz Hirai) stated during their big PSN press conference that the attackers used a known vulnerability in the web-application platform Sony uses.

A quick bit of online research will show you via various sources that Sony uses Linux and Apache for the web-application server element of the PSN and SOE networks. I won't name the web sites as many of them are frequented by the kind of person that hacks a network for fun, and I see no point in promoting them.

A huge number of successful attacks each year are committed against software with one or more known vulnerabilities. More often than not, the vulnerability has been patched by the developers, but the admin of the system hasn't kept their patching up to date, leaving them open to attack.

Beamboom
Beamboom
9 years ago

The strange thing is that as far as I can recall there has not been an Apache patch for many months now. I run Apache servers myself, on Ubuntu. I always review the patches before updating the servers, just for my own knowledges sake. And I may very well be wrong here cause there's hundreds of patches each month, but I can't recall any security patches for Apache.

Other than that, in all friendlyness and respect, I think you should go a bit easier on Jimmy. It's not fun to get the entire site against you. I've experienced the same, and it got me furious too. It can be utterly unfair at times.


Last edited by Beamboom on 5/3/2011 3:55:13 AM

Phoelix
Phoelix
9 years ago

Depending on which vulnerability the hackers found I'll either be really unhappy with Sony or not really that unhappy.
I _do_ think it's somewhat odd that they're making a position for chief of security now instead of from the get-go.

Beamboom
Beamboom
9 years ago

Now that is an extremely good point you are making Phoelix. I had forgotten about that now, but when I read about it I found it strange that such a large company did not have such a position already.

There *is* something wrong in this picture, indeed. Just don't say that out too loud around here, or you *will* get slayed. 😉


Last edited by Beamboom on 5/3/2011 4:15:37 AM

TheHighlander
TheHighlander
9 years ago

Beamboom,

Re: Jimmy, I'm not one to bear a grudge at all. Long term I have no problem with anyone here. I've had very strong differences with Jawknee before, and even though we both know we disagree extremely strongly on some things, we know we agree on so many others, so why worry about the disagreements? Besides, if we cannot argue with our friends, who can we argue with. So long as we're all capable of saying sorry or admitting wrong where we are, it's all good. I('m by no means at all perfect, but I do try to admit my errors and where possible I will point out my error and correct myself long before anyone else. But if I am in the wrong and someone shows me I'm in the wrong, I will always try to put my hand up and accept fault where it exists.

Heck the fact that I can still reply and discuss constructively with Mr Underline/ Anonymous Cowherd/whatever his name is, shows that whatever argument there is today, tomorrow is another day. (Bonus points for anyone that names the movie reference…)

TheHighlander
TheHighlander
9 years ago

Beamboom

Your point about Apache patching. How frequently is Apache patched these days? I had a look at their web site, and in their list of patched vulnerabilities for 2.2, it's rather distressing to see 9-12 months elapsing between a vulnerability being identified and it being patched. It suggests to me that You could be running Apache with unpatched vulnerabilities, and yet still be running the most up to date, fully patched version.

I don't follow Apache much, so perhaps you can clarify for me? My impression is that going back and back-porting fixes and patches to older versions isn't exactly their top priority, and in fact it seems that patching vulnerability seems to take rather a long time. I hope I'm wrong and that there is better information than what I could find.

jimmyhandsome
jimmyhandsome
9 years ago

Highlander, its all good. I hold no grudges either, especially about the topic at hand. As I mentioned yesterday I expect people to disagree because this is a public forum, and it seems to attract a diversified bunch. I took offense with not what people said but HOW they said it. Its fine, I'm over it. Apologies for being stubborn on the matter, I see your side of it.

As far as that quote I believe its from Gone with the Wind. Never actually saw the movie, the only reason why I know that is because I did a book report on it back in the day.


Last edited by jimmyhandsome on 5/3/2011 2:29:58 PM

TheHighlander
TheHighlander
9 years ago

Jimmy, you get the bonus points and Kudos, Gone With The Wind it is.

I agree, it's all good, people disagree all the time. As far as I am concerned if people don't disagree about something, they're probably not being honest about things. I mean, we're all human and have differences of opinion and understanding, it's only natural that there will be areas of disagreement. to me, it's more important to be able to disagree, and in fact even disagree passionately with others, while still being able to look and go past that disagreement.

My apologies also, I can be stubborn as well, as I'm sure you noticed.

Dancemachine55
Dancemachine55
9 years ago

Apparently, I have heard from various sources that this is definitely the work of Hotz and his supporters, several who are extremists from the group Anonymous.

When Sony first sued GeoHotz over the spreading of the PS3's source code, many other hackers threatened Sony, saying they will attack the network if they don't stop the lawsuit. Sony didn't drop the lawsuit, but Hotz got out of paying large sums or doing time in jail. Apparently, that wasn't good enough for the hackers.

So here we are. Sony stands up for itself after a hacker spreads a program designed to hack the PS3 and it suffers for trying to do the right thing. I really do hope these hackers burn in hell alongside Bin Laden.

All this over Sony removing Other OS. Ridiculous!!

It was either submit to the demands of hackers (also known as cyber-terrorists) and keep Other OS, stop suing Hotz and continue allowing the PS3 to be hacked and pirated easily, OR risk PSN network hacking and fight the hackers head on.

I'm glad to see that (like the President of the USA) Sony does not negotiate with terrorists.

Fortunately, I did not play any SOE games, so I have no info to steal. PSN however…

Jawknee
Jawknee
9 years ago

Do you have links? Sounds interesting.

Dancemachine55
Dancemachine55
9 years ago

Here are some sites I found related to who may or may not be responsible.

http://venturebeat.com/2011/04/28/geohot-psn-attack/

http://loot-ninja.com/2011/04/26/why-has-no-one-hacked-xbox-live-yet/

and this one provides the best details about what exactly happened behind the attacks, along with what was protected and what wasn't.

http://news.cnet.com/8301-27080_3-20058962-245.html

thj_1980
thj_1980
9 years ago

Guess sony is just getting hacked all over. Sucks for those enjoying SOE.

Even this occured around same time as PSN, still proves 24.5 million users completely compromised with all info lost while PSN ia maybe.

Things aren't looking good for SONY right now.

Dancemachine55
Dancemachine55
9 years ago

Note to self…

Do NOT piss off hackers!!!

Naztycuts
Naztycuts
9 years ago

"The theft occurred between April 16 and 17"

Ouch! So when is someone going to put a bounty on these people's heads? Now that Osama's dead we (the US) can start focusing more on policing the internet!!! /sarcasm

Seriously though if they could make laws that apply to malicious hackers and the like without infringing too much on normal people's rights then I'd be all for it.I don't think safety should come at the cost of our privacy. It makes everyone seem so reliant, yet uneducated about the computer scene, that a huge corporation like Sony can be hacked and damaged this badly, I feel for anyone who got their info stolen.

LittleBigMidget
LittleBigMidget
9 years ago

Damn this is getting old. All this hacking buzz is going to make Sony's E3 pretty awkward.

FatherSun
FatherSun
9 years ago

A series of unfortunate events. It is a clear indication that those hacking Sony are true to their word when they stated that they will attack in a major way. One thing has me puzzled. Is it that they CAN NOT hack the Credit Card information or, WILL NOT? One would think that there is someone out there smart enough to swim through the internet undetected.

It seems that we are at a time where the internet has become a battleground. Corporate Society versus… well, those who play by their own rules. We are caught in the middle. It is now Law Enforcements move. DHS, FBI, CIA or INTERPOL. Whichever entity has jurisdiction. How they handle this will demonstrate who actually owns the Internet. This will not end with Sony. At this rate 2012 may just be the end of the world as we know it.

Or not.

Lairfan
Lairfan
9 years ago

Well, criminals will be criminals. Let's hope the FBI catches these pieces of crap.

BikerSaint
BikerSaint
9 years ago

Yeah, keep on hacking, you f*cking cowardly a$$wipes hiding behind your computers.

We got bin laden, and WE WILL get you too!!!!!!

kraygen
kraygen
9 years ago

Hackers who are caught should be put to death. It's grand theft, burglary, slander, and terrorism. Let's make their deaths public, heck the government could make back some money if they made it ppv.

It'd also detour future hacking.

RadioHeader
RadioHeader
9 years ago

They should be kidnapped and put in traps (like those in Saw, but computer-based) which they have to hack their way out of. If they win they're given a Cheeto, then immediately moved on to the next trap.

I don't watch much TV but I'd watch that, if it didn't overlap the Footy.