Less than 2 days after Sony started bringing its PlayStation Network back online reports are coming in that the besieged gaming giant’s platform has been hacked yet again. MCV is reporting that the exploit allows for hackers to change users passwords using only a PSN account email and date of birth, two pieces of user information that were obtained in the original hack. Update: Sony has responded to the reports of a new hack.
MCV says that the hack, which is really an exploit of Sony’s password reset system, was first reported by Nyleveia.com and then corroborated by Eurogamer. Now the PSN login option is unavailable on a number of Sony’s sites. Sony’s login site that is used to reset passwords using the email and date of birth is now down.
According to Nyleveia the exploit was demonstrated to it personally by someone who knew the method.
“It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real. We have provided SCEE with a detailed description of the security hole,” said the Nyleveia poster, “While it’s unclear at this time if they will actually patch the flaw while they have the system taken down, I can also confirm that the system went down approximately 15 minutes after I received a response from SCEE on the matter.”
Note that if you changed your email when you regained access to the PlayStation Network you are most likely safe from this exploit. If you left your account email the same however, you may have been vulnerable. Sony has already been contacted about the breach and are aware of this new exploit.
Sony has commented on it’s takedown of the login site, stating:
“Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being.”
“This is due to essential maintenance and at present it is unclear how long this will take,” Sony said, “In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information.”
The PlayStation Network was originally hacked on April 18th but the news was not released for several days as Sony assessed the nature of what information was stolen. It turned out that millions of user accounts including names, birth dates and encrypted passwords were stolen by the hackers. In addition a database of credit card numbers were stolen but Sony has reported that those were also protected by industry standard encryption.
Sony has announced that it will be providing identity theft insurance for all users as well as a ‘welcome back’ package for PSN users that includes several free games and a month of free PlayStation Plus service. The hack was originally attributed to the hacking group Anonymous by Sony but the group refuted those claims saying that they had no interest in credit card theft.
The investigation into who performed the original hack is ongoing. It seems likely that this newest hack is either the same group or someone that was supplied with the birthdate and email information of users by the original hackers. This whole debacle is a terrible blow for Sony’s PlayStation brand but it also highlights the fact that our networks are not as secure as we think they are.
Update: Nyleveia has updated their posting, adding the following Q&A for those concerned about their account safety.
Q. If I already reset my password am I safe?
A. The exploit was possible on any account the email and date of birth was known for, regardless of if the password was changed or not, or what region the account was tied to.
Q. What if they don’t know my Date of Birth or Email account?
A. Then the average user would not be able to take your account, however due to the database being illegally accessed in April, it’s safe to assume that someone, somewhere, has access to a large number of users details, which include date of birth and email addresses, this alone should be reason enough to change your email.
Q. Are you sure this is real?
A. Yes, it was demonstrated to one of our empty accounts, then we were able to repeat the process ourselves after figuring out the method, this was additionally confirmed when a twitter user provided us with his data and requested that we change his password as proof.
We have since emailed him his new password, and no other data on his account was changed.
Q. Can Sony fix it?
A. Shortly after containing SCEE, the online forms connected to login and password recovery for the PlayStation and other linked networks was shut down and placed in a maintenance mode, I can only assume this is a direct response to our detailed reports to SCEE, with that said, I assume that when services resume the exploit will be patched and everyone’s data once again safe.
Q. If Sony fixes the hole should I worry?
A. I would suggest that everyone, regardless of if they have been affected or not, create a new password and change their account email to one they do not use anywhere else, and will not be sharing with anyone else just for additional security.
Q. Will you give us more details on the exploit?
A. Until we have confirmed that the security hole has been patched we will not release further details on how and why the exploit was possible.