In another sign of how rampant password reuse is online, Sony locked 93,000 accounts that were compromised by using password lists obtained from unknown sources.
Sony
locked out 93,000 users on the PlayStation Network, Sony Entertainment Network
and Sony Online Entertainment services after detecting mass log-in attempts
into individual accounts.
Attackers
attempted to use a list of username and password combinations obtained from an
unknown source to try to access PSN, SEN and SOE accounts, Philip Reitinger,
Sony's new chief information security officer (CISO), said in a statement
posted on the PlayStation
Blog on Oct. 11. The attack affected less than a tenth of a percent of all
PSN, SEN and SOE users, and the majority of the log-in attempts failed,
according to the statement.
Sony
locked 93,000 accounts because the attackers managed to successfully log in to
those accounts. The breakdown was approximately 60,000 PSN and SEN and 33,000
SOE accounts, and the attempts occurred between Oct. 7 and Oct. 10, according
to Reitinger. Only a "small fraction" of those compromised accounts
had any activity before Sony managed to lock them down, he said.
"We
are currently reviewing those accounts for unauthorized access, and will
provide more updates as we have them," said Reitinger, adding that even if
the users had credit card numbers associated with the account, they were not at
risk. The company will work with users who report unauthorized purchases made
through the account.
A
"large amount of data" obtained from one or more compromised user
lists obtained from other companies, sites or sources was used in the attack,
according to Reitinger. The fact that the "overwhelming majority" of
log-in attempts failed is an indicator that the list came from an external
source and not Sony, he said.
Considering
the amount of username and password information that has been dumped this year
alone, there are a lot of lists available for criminals looking for them.
Analysis on password information stolen and leaked from sites like Gawker has
shown that password
reuse is rampant and a big security issue for online services.
Attackers
are simply working on the assumption that people typically use and reuse the
same account names and passwords across multiple personal online accounts,
according to Geoff Webb, senior product marketing manager at Credant
Technologies. Considering that Sony had to lock down 93,000 accounts, it
appears that it "was a good assumption to make," Webb told eWEEK.
Even
though Sony has clearly reacted quickly to stop this potential breach, users
may simply see the incident as yet another Sony problem without stopping to
consider who may be to blame, Webb said. "That makes it a no-win situation
for Sony," he added.
Sony
has reached out to affected users to prompt them to reset their passwords,
according to Reitinger, who reminded users never to select a username-password
combination that is associated with other online services or sites.
"We
encourage you to choose unique, hard-to-guess passwords and always look for
unusual activity in your account," Reitinger said.
In
April, unknown attackers breached Sony's Qriocity video and music service,
PlayStation Network and Sony Online Entertainment and stole information from
more than 100 million accounts. The company shut down the services for over a
month and a half to rebuild the systems and came under fierce criticism for
security gaps, such as not having a CISO and not running updated software on
the servers. Smaller attack groups also capitalized on Sony's woes, attacking
and dumping data from other Sony properties in May.
As
more and more content and services move online, the number of digital
identities that consumers need to manage keeps growing, but identity management
hasn't kept up, according to Webb. The industry still relies on a username and
a password, a "paradigm created in the 1950s," which is a
"terrible way to authenticate," Webb said.
"We're
stuck with it because, for now at least, it's cheap and well-understood by
users and developers," said Webb.
Email
Print
