Cathode Tan - Games, Media and Geek Stuff
logo design by man bytes blog

Tuesday, April 26, 2011

PSN #FAIL: Yes, it is probably time to change some passwords

That the PlayStation Network has been down isn't exactly earth shattering news, but Sony just released the first real information on the outage, which started on April 20th.

It's not good. Recently, rumors came about that the outage was done to build a defense around an a custom firmware hack called "Rebug", which allowed normal consoles to be identified as debug consoles which apparently gives them all manner of access on the network, including download free versions of games. Sony has yet to confirm if that was the original cause, but they have confirmed a successful intrusion into the network, which as a result has...

obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
-- Update on PlayStation Network and Qriocity

Everyone who has a PSN account should probably take the time to read that again. It's pretty significant, even if the intrusion did not successfully gain any credit card numbers. Consider this:

Many online systems now accept a valid email address as your username
Most users reuse the same password across multiple websites
Most users reuse the same security question information, when possible

And that's not adding on the truckload of personal information now open for social engineering.

It's a pretty big deal. And while I'm sympathetic to Sony that the event happened in the first place, I think waiting a whole week to notify users to the potential danger is a bit absurd. Did it take a week for Sony to realize the extent of the data theft? Or just a week to write the above update? Either way is a pretty massive fail.

If you're a person who falls under the bold behavior above, I'd recommend visiting your more sensitive online sites (banking, bill pays, mortgages, etc) and updating the password to something new. In this day and age, a good password should:

1) Not be based on personal data like birthdate, children names, home addresses. All of that was potentially just scooped up in this theft.

2) Be six characters in length or more. Five is still the standard used by many websites. Six is better.

3) Include at least one number, and at least one other non-alpha character like a "!", "#", etc.

4) Use a mixture of caps and non-caps.

I'm a pretty security aware kind of guy, and I'm honestly pretty annoyed at Sony right now. While I don't entirely fall into the mold of someone who uses "password" or "12345" everywhere - but this amount of data kinda spooks me. There's certainly a level of due dilligence that Sony is doing here, so I don't think we need to brace ourselves for some coming credit apocalypse ... but at the very least changing your passwords to something more secure is like calling your mother, it's always a good time to do it anyway.

Image lifted from Addicted Gamer

No comments: