The Two Year Anniversary Of The PSN Hack

psn hack

On the 21st of April, 2011, the PlayStation Network went down. “Nobody knows why yet,” we said of that fateful morning. “Once we get an update, we’ll let you know what’s going on.” That update, as you’ll remember, took days and weeks to fully materialise into the complete truth, and when it did, Sony’s previously bulletproof network was in pieces.

The end result was a £250,000 fine. But that was this year, and back in 2011, when nobody knew what was going on, any kind of resolution was a long way off: ICO’s involvement, free games, the ability to log back in – all out of reach, and it would take three weeks before the network was back up to something like operational.


19/04 – Attack on PSN services apparently occured

20/04 – PSN switched off, maintenance message appears

25/04 – Patrick Seybold writes on Blog – no date for fix

26/04 – Sony confirm scale of hack, “illegal intrusion”

01/05 – Welcome Back package announced

02/05 – Sony announce SOE site hacked, 12,000 cards stolen

15/05 – Some services stir into life, 3.61 firmware released

18/05 – another exploit found on SOE site

Of course, at the time, we made light of the situation. The second day of the downtime brought nothing but mild amusement from us, but the story made the BBC within 24 hours, citing Sony as saying the issue was due to an “external intrusion” which turned into a “sustained LOIC attack on the PSN Store” and – something that would end up being crucial – “a concentrated attack on PS servers holding account info.”

That attack on the servers holding account info would – quite quickly – turn into a PR nightmare for a company holding so much data. Reuters called it “the biggest Internet security break-in ever”.

By the 25th Sony couldn’t confirm whether user data had been compromised, and then on the 26th everyone’s worse fears came to fruition – potentially, the hackers had everything. 337 comments on TheSixthAxis’ late night post showed people cared, and the statement that “user account information was compromised in connection with an illegal and unauthorized intrusion into our network” was scary.

Data seemingly out in the open included, ad verbatim, “name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID” with Sony saying that it was also possible that “profile data, including purchase history and billing address, and your PlayStation Network/Qriocity password security answers” may also have been obtained.

Information that could, as Sony would acknowledge, be used elsewhere. Security questions and answers especially, but with all that information Sony had little choice other than to offer up identity theft protection. It wasn’t made a big deal (for obvious reasons) but this couldn’t be something to totally sweep under the rug. And despite assurances that key information was encrypted, anecdotal evidence still floats around that some users fell victim to credit card fraud.

In May Sony said that “there is no confirmed evidence any credit card or personal information has been misused.”

The first lawsuit was filed on the 27th, with Sony’s share prices diving a day later. The estimated cost to the platform holder, at that point, was a cool $1.5 billion, but let’s not forget the developers and publishers whose games couldn’t be sold online and, in the midst of current discussion about an ‘always-on’ next generation, games that wouldn’t even boot without the network being live.

“There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.”

Sony, on why there was such a delay in letting customers know what had happened.

By the 15th of May, things started to tick back into life, and Sony’s “Welcome Back” package – a smattering of free games to download – was both a smart PR move and what appeared to be a genuine desire to apologise to its customer base.

It’s worth remembering that at this point PlayStation Plus didn’t have an Instant Game Collection – that would happen a year later – so the games were mostly well received by loyal fans. The idea, of course, was to make Sony the good guys.

And yet, in June, another of Sony’s other sites fell victim to a “simple” SQL injection, resulting in the potential loss of another 1,000,000 chunks of user data including passwords, email addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. This was in the middle of reports that Sony had laid off some of its security staff just before the main PSN hack occured, leading some to suggest it was all the fault of disgruntled ex-employees rather than anyone outside of the company.

According to US site CNet, however, it was LulzSec behind the intrusion. Last week four members of the group pleaded guilty to the hack of 70 million PSN accounts, resulting in three weeks of complete downtime for the network and a direct cost to Sony of an estimated $170 million.

Looking back to the events two years ago might feel like a distant memory, but the results can still be felt 24 months later: Sony’s PlayStation Plus service and its general approach to regional parity carry echoes of a company still trying to do the right thing, an extended charm offensive that is by all accounts paying off well. Trust and confidence was at an all time low in the summer of 2011, but in 2013, on the cusp of a new generation, it’s hard to find regular fault with SCE.

Of course, Sony’s updated terms and conditions – those that say users can’t file claims about the company – are still frowned upon.

No company is perfect, and anyone thinking that the bottom line isn’t about revenue is wrong, but this feels something like a changed Sony, an organisation seemingly doing its best to provide what its customers (and developers) want, and – for the most part – staying on the right side of those 70 million precious accounts. Whether that’s just coherent, constant good PR or a genuine shift is for another blog entirely.

Hopefully nothing like this ever happens again for Sony.



  1. Don’t scare me like that! I just read the first part of the headline.

    • What, ‘The Two Year Anniversary’??

      I take it you haven’t had many long term relationships if anniversaries scare you! ;)

  2. I guess you’ve achieved the impact you’re looking for but that title is very deceiving. That could spark rumours amongst people who are too lazy to read the whole article or story correctly. Just saying ;)

    • Doesn’t the “The Two Year Anniversary” part sort of set the tone? I guess for people who are too lazy to read the whole headline maybe…

      • Its changed since that comment :)

      • They’ve changed it. Earlier it read: PSN Hacked: 2 years somethingsomething… :)

      • Ah I see, in that case I can only apologise.

    • The original headline was “PSN Hacked: The Two Year Anniversary.” Al has changed it to avoid any complaint but it’s astounding to me that people might not read past the first two words to the rest of the headline… never mind reading the actual article for context. Having to mitigate for that degree of stupidity is stifling.

      • Agreed. If it did concern people surely they would then read further and realise. People can be silly.

      • I don’t disagree but I know what some people are like and how some people easily misinterpret things. For a split second I thought ‘Sh*t, here we go again’. Thats all some fanboy sitting on the opposite side of the fence needs to see before their eye light up.

      • *eye(s). Unless Cyclops reads The Sixth Axis.

      • oh yeah, you’re right about some people choosing to ignore anything past the first couple of words (as evidenced).

        I’m really just lamenting the fact that we have to consider that attitude when writing headlines because it homogenises everything. It cuts out all room for character or personality in our editorial if we constantly try to second guess what might upset every random person who really should know better. And that’s really a shame.

        Editorial content (ours, at least) is always intended to provoke discussion, entertain or amuse people – if we pander to every over-sensitive whim, we’ll end up with a bullet-pointed list of facts on a plain white background… and people will probably still argue about what font we used ;)

      • Peter, don’t change a thing. It was quite clear that it was there to provoke an interest. Not to provoke numbers.

        If you had said PSN Hacked, then yeh, maybe people could be upset. But to show any sign of annoyance because for the time between reading 2 words and then another 3, people got a slight shock. Don’t cater to the minority please. I like you guys just the way you are.

      • Don’t allow for them, Peter. If there are people getting in a froth because they’ve decided not to read the entire heading then that’s their own fu**ing fault and they should, perhaps, learn to read or grow up.

        TSA commenters sounds like they’re just having a bit of fun with the headline, hopefully. :-)

      • Their own fudging fault? :)

  3. Do I still remember? I now use an account with a false name/address/dob and always buy PSN cards from Amazon/Game rather than leave my card details in Sony’s hands…. yes I remember (and won’t ever forgive) :P
    Same applies to my 360. Can’t be too careful.

    • Blimey I’ve still got the same card details on my account that I had when it was hacked!

  4. Stupid headline. Take it down, I don’t come here to TSA to read stupid headlines like that. I can go and read crap like that elsewhere chaps.

    yes it clearly states two year anniversary, but still.

    • Oh and just to add. After PSN was hacked I had £6k taken out of my account within a week of it happening because of this.

  5. After that hack for months afterwards I kept getting phishing emails , to my email address which i had my psn tied too. Never fell for them like but i did change my bank card just to be safe and made the decision to only use my credit card for online transactions due to credit cards having a far better fraud protection.

  6. To my knowledge, there have been no repercussions for me personally (although I have been receiving a lot more PPI spam texts, coincidence?), but SONY’s push for indie devs and PS mobile and Instant Game Collection and all that jazz has shown that they’re REALLY keen to get the public back on side, and I reckon they’ve more or less achieved that.

  7. Since then both Microsoft and Nintendo were hacked but that seemed to be swept under the carpet by the press.

    Glad to see the hackers getting found guilty though and will be sentenced in May.

    • Its not the ones behind Sony though, that was much worst than what Lulzsec ever achieved.

    • we’ve regularly reported on Microsoft’s problems with hacking (I’ve been a victim of account hacking on the 360 twice, losing the funds in my account both times) but our audience is much more PlayStation focussed and less interested in non-PS stuff so we don’t spend as much time with that.

    • Don’t forget Steam, it got hacked too a few months after the PSN hack:

      There was almost nothing about that in the media either.
      I wonder what would’ve happened if Sony hadn’t switched off PSN to do a full investigation and instead just issued a short statement and continued business as usual.

  8. For myself, it was a real (and if honest, a much needed) wake up call.

    I was quite happily using my debit card on PSN and Amazon, blindly beliving that i was safe and if anything should go down, my bank had enough safeguards to resolve everything quickly and with no hassle.Hearing the story on BBC news had me somewhat alarmed, so i drove 9 miles into see my bank, explained situation, was told not to worry, just cancel my debit card, just to be safe-long story short, 3 hrs of phone calls later to various bank departments (sorry sir, we cannot cancel your card, you need to ring…No, sorry sir, you need to ring….), i had no debit card, no way of checking my account and a lot of worry.

    I wrote a stinking letter to the bank, turned out they’d known long before i did what had happened, but it was’nt policy to let customers know and they only worked in partnership with some firm in South Africa to do I.D protection (so i was basically paying the bank for S.F.A).

    I now only use a Credit Card with online transactions (Amazon only) so bank knows to be on the lookout for any other transactions online etc, pre-paid vouchers all the way on PSN and XBL.

    But what’s struck the most since the PSN Hack, is just how many others have been hacked since:

    Codemasters, Bethesda, XBL accounts, where sh*t was going down even when MS had ‘locked’ accounts, Ubisoft with U-Play, seemed every week another big name had fallen victim to data being ‘comprimised’ and it’s still on-going.

    So, it was a very unpleasant time, but i’ve learned lessons from it and it shook me out of my comfort zone that the bank i’ve been with for over 25 years was working on my behalf, now they damn well are.

  9. I’m still happy to hand my card details over to them. I didn’t really see the hack as a way to get details but only because they could and to show Sony up.

    • Yeah, I still use my details too.

      And to be fair, if someone wants to steal my ID, they must be really desperate and need it more than me!

    • Yip, I’m in the same boat. Not stopped me at all.

    • still use my card on there as well.

    • yeahh me too!
      nobody can be soooo desperate that they are willing to take my ID right?
      there is more profit in digging graves! :P

  10. As someone who lives in a country with no movie store and no playstation mobile, I can still find regular fault with SCE and SCEE.

Comments are now closed for this post.