SOE Confirms More Account Information And CC Numbers Stolen

News has just surfaced via IGN stating that Sony Online Entertainment customers may have also been affected by the hacking attempts from last month. In a statement recently sent out by SOE, they claim that additional account information and credit/debit card numbers may have been taken from SOE servers. It’s important to note that the PSN and SOE are two different entities, although it appears that the original attack affected both divisions.

Below is the statement from Sony.

– ARTICLE CONTINUES BELOW –

“This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007.

The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.

The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:

– name

– address

– e-mail address

– birthdate

– gender

– phone number

– login name

– hashed password.

In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:

– bank account number

– customer name

– account name

– customer address.”

We’re not really sure what to say about this situation that hasn’t already been said. It’s obviously very disappointing and I’m sure many will raise questions wondering why it took them this long to realize that SOE servers were also affected, especially since Sony has stated that this was not the result of a second hacking attempt.

On the plus side, SOE is planning to give subscribers an extra 30 day subscription on top of  “compensating them one day for each day the system is down.”

Further clarification is sure to come out as the week progresses so stay tuned.

[Update] Sony has posted a notification on soe.com clarifying that their central credit card database was not included in the compromised information detailed above, which leads us to believe that all the credit card information that was stolen is from 2007.

“There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.”

Source: IGNSOE

– PAGE CONTINUES BELOW –

42 Comments

  1. oh dear ….. thats all i can say :|

  2. Oh man, It just keeps getting worse and worse. does anyone know if this will affect PSN coming back online this week?

    • If this was part of the same attack (and Sony says it was) then I doubt it.

  3. Not sure this can get any worse really… this is going to be hard to come back from Sony…

  4. Trying to think of something positive to say about this, but I can’t.

    It looks like all Sony system’s had shortcomings and whilst nothing is 100% hackproof it’s doubtful that many companies would overlook hundreds of GBs of userdata being leached over a few day period.

    at least Sony’s PR Dept looks like its learning not to lie & have avoided the whole ‘maintainence’ smoke & mirrors thing this time & have just come out with the bad news. Let’s hope their network-monkeys follow their example and up their game, to the expected minimum standards of ‘industry best practice’

    • see you did find something positive in amongst the sheer swell of bad news :/

    • You say it’s doubtful other companies would overlook it, but remember this isn’t Sony looking through things… they’ve had trained security/forensic firms looking into it for a week or more now. If it’s taken THEM that long to find it, it’s doubtful others would have found it any quicker.

      • Meant during the actual intrusion.

        Industry best practice, which any company serious about something would strain every sinew to achieve, would have flags thrown up to that sort of leaching, like Sony has detailed in New-PSN, obviously why they’ve fell short of best practice & it wasn’t designed into the network anyway will probably be unknown forever.

    • That’s perhaps the most worrying part. Apparently the credit card companies do check that systems meet the minimum standards before they’re allowed to process payment information. Other companies probably have systems which are more vulnerable than Sony’s yet are still classed as being good enough.

  5. So what does this mean? People who play DCU:Online via PC/Steam?

    • Details have been compromised of 25m SOE accounts, so along with your name, address, email, usernames, passwords, security questions – probably nefarious types also know your favourite colour, your shoe size & inside leg measurement… Along with card details of some double unlucky subscribers

    • Yes, and other PC games. SOE publishes mostly PC-based MMORPG’s if I’m not mistaken.

  6. “I’m sure many will raise questions wondering why it took them this long to realize that SOE servers were also affected,”

    Because it’s an ongoing investigation. Unfortunately, these things take time.

    That said, this is potentially worse news than the PSN data being stolen. The card details taken here are likely to be out of date by now, but the bank account details are likely to still be valid.

    If there’s one good thing to come out of this mess, it’s that from this point on, Sony will very likely have one of the most secure networks around. That may be seen as shutting the stable door after the horse has bolted, but at least it’s something positive.

    • You don’t think that it’s a bit laughable that a Sony division called Sony Online Entertainment took around 16 days to realise that they’d been hacked?

      I mean, 24.6 million accounts, that must have been a fairly big download, you’d think someone might have noticed that while it was happening, or hey, they could have had an automated warning for when an a computer/IP downloaded more than 30 peoples account info. I’m just saying, there can’t be too many legitimate reasons for downloading 24 million accounts, I don’t think it would have been that difficult to detect…

      • You ever worked in security, though? :) Or been a hacker? :)

    • They knew they had an “external intrusion” at the same time as the PSN one, and took everything down. Did some checks, thought everything was OK and opened the servers back up again.

      It’s more than embarrassing to then realise that you did have data nicked after all, especially after saying you’d checked it out and you were fine…

  7. This does all seem very disappointing but one day the PSN will be back to full functionality and hopefully if it happens again it doesn’t happen to sony and then hopefully by the fact there is an attack on another company, the people responsible are found and jailed. I think people who aren’t affected have just laughed at this but it’s a serious crime and should have been fought forcefully.

  8. Oh dear, that’s been quite a while for them to notice and either they knew before Kaz held the conference and refused to divulge or they just plain let it slip under their radar.
    Hope they address it quickly, take it in their stride and stay focused on re-launching the PSN in a brilliant way.

  9. All this bad press is going to impact PS3 sales for a longtime…

    • Not sure it will effect core gamers buying decisions, but parents & all the areas that Sony will see as growth for the 2nd-half of the gen will probably have to think long & hard. It could also have a big impact on Bravia, because the PSN features is one of the advantages over other manufacturers, many of whom TVs at least equal Sony’s. It could also effect other connected Sony devices like the Xperia Arc etc

      • But isn’t it logical to assume that the company that has once failed AND has rebuilt their stuff and is now at Alert Status, would be a safer bet than the general company who did nothing and has not been YET compromised?

  10. There’s been some sort of Update on this (just read it on Kotaku) that no CC numbers were actually taken as they were stored separately.

    • cc_star also stumbled upon that but thanks for letting us know :-)

Comments are now closed for this post.