New Sony PlayStation Network hack: not as bad as you may have heard

Sony’s Chief Security Officer Philip Reitinger has reported a new attack on the PlayStation network leading to headlines stating Sony hacked again. Has the company not learned from the incidents earlier this year?

Actually, it probably has; the new hacking attempt does not exploit any weakness in Sony’s network unless you consider any system reliant on username/password to be weak – not an unreasonable opinion, but given that the likes of Apple and Amazon and PayPal still use it, hardly fair to single out Sony.

If you read the statement carefully, it says that somebody obtained a large list of username/password pairs and ran them against Sony’s network. Further:

given that … the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks

Because of the large number of PlayStation users, there were still 93,000 successful matches, which to its credit Sony says it detected – presumably there was a pattern to the attack, such as a limited range of source IP numbers or other evidence of automated log-in attempts.

If Sony is right, and the list of passwords came from another source, there is no reason why the hacker might not try the same list against other targets and this is not evidence of a weakness in the PlayStation network itself.

As Reitinger notes:

We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.

It is good advice, though can be impractical if you have a very large number of online accounts. Something like PasswordSafe or Keypass is near-essential for managing them, if you are serious about maintaining numerous different combinations.

From what we know so far though, this is not evidence of continued weakness in the PlayStation network; rather, it is evidence of the continued prevalence of hacking attempts. Kudos to Sony for its open reporting.