Sony states than a total of 93,000 accounts corrsesponding to one tenth of one percent (i.e. 0.1%) of their PSN, SEN and SOE consumers may have been affected (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000). In these cases the attempts succeeded in verifying valid sign-in IDs and passwords, so the accounts were temporalily locked. As a preventative measure, Sony will be sending email notifications to these account holders and will be requiring secure password resets or informing consumers of password reset procedures.
At least this time the defense were active and the Company states it was able to stop these attempts taking steps to mitigate the activity, moreover Sony also stated that credit card numbers associated with these accounts are not at risk as a result of the unauthorized attempts.
The attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or sources. These were unauthorized attempts to verify valid user accounts on our services using very large sets of sign-in IDs and passwords. Between October 7 – 10 US Pacific Daylight Time, we confirmed that these were unauthorized attempts, and took steps to thwart this activity.
A couple of hot considerations:
- The Japanese giant learned the lesson. After the infamous breaches of March (with more than 100 million users affected and estimated cost of $21 billion), Sony hired Philip Reitinger (who annouced the attack on Playstation Blog), the former deputy under secretary at the U.S. Department of Homeland Security, as senior vice president and chief information security officer at Sony. The nomination was made on September but is possible that the strategy of establishing a security strategy has already been successful: it looks like the company was able to immediately detect the attack (and also is also immediately sending email notifications to the owners of the compromised accounts);
- I cannot help but notice the strategy of the attack consisting in a “very large sets of sign-In IDs and passwords obtained from on ore more compromised lists of company”. Probably read “spearphishing”: once again old techniques with new motivations. The organizations seems to have learned how to deal with these trhreats. The users are still far from that.
Hope to have more news very soon, most of all which were the compromised lists of companies (Epsilon?).