Sony has made an announcement on their Playstation blog today letting all subscribers of the Playstation Network know that the network has been compromised and user information including names, passwords, addresses and most likely credit card numbers have been stolen. Update below.
In the announcement, Sony’s Director of Communications Patrick Seybold had this to say.
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
The leak is a result of the Playstation network being hacked by an unknown entity and they are working on isolating it even further as their investigation efforts continue. While Sony doesn’t believe that any credit card information has been stolen, it’s a distinct possibility.
Here’s what you should do to protect yourself:
- Ensure that any other service you use that has a similar password as the Playstation Network is changed immediately.
- Monitor your credit card activity diligently to be sure that it is not being used by an unauthorized party.
- Check your credit reports for any use that is out of the ordinary.
- Do not click on any links or provide any sort of personal information (like logins, for example) in any email that indicates it is from a game or affiliated with the Playstation Network. It’s important to keep this in mind well after this incident has come and gone; it could always still be a phishing attempt. Sony has provided a phone number to call — use that instead.
Steve Reynolds, PlayStation Store Operations Manager, has also informed a user via a Twitter update that despite Steam and PSN having some integration, no Steam accounts were hacked.
Nonetheless, users across social media are expressing their outrage that it has taken nearly a week for Sony to inform them that their information had been compromised. Comments on the blog post have ranged from users wondering why they “had to read it on a blog instead of getting an email first” to expressing anger that they “cannot even log in to change or delete our info.” There has been no word from the company as to why they did not contact users directly before making the announcement on its blog or why it took so long for it to report these findings.
What it has said is that it expects to have the service back up and running within a week, as its team is working “day and night to ensure it is done as quickly as possible.”
Update: In a statement released to Gaming site Kotaku on Tuesday, Seybold says that they only learned the true extent of the breach, including the compromise of customer information, on Monday although the breach was discovered on April 19th.
“There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised,” states Seybold, “We learned there was an intrusion April 19th and subsequently shut the services down.”
“We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.