Attackers Compromise 93,000 Sony Accounts Using Passwords From Other Sites

In another sign of how rampant password reuse is online, Sony locked 93,000 accounts that were compromised by using password lists obtained from unknown sources.

Sony locked out 93,000 users on the PlayStation Network, Sony Entertainment Network and Sony Online Entertainment services after detecting mass log-in attempts into individual accounts.

Attackers attempted to use a list of username and password combinations obtained from an unknown source to try to access PSN, SEN and SOE accounts, Philip Reitinger, Sony's new chief information security officer (CISO), said in a statement posted on the PlayStation Blog on Oct. 11. The attack affected less than a tenth of a percent of all PSN, SEN and SOE users, and the majority of the log-in attempts failed, according to the statement.

Sony locked 93,000 accounts because the attackers managed to successfully log in to those accounts. The breakdown was approximately 60,000 PSN and SEN and 33,000 SOE accounts, and the attempts occurred between Oct. 7 and Oct. 10, according to Reitinger. Only a "small fraction" of those compromised accounts had any activity before Sony managed to lock them down, he said.

"We are currently reviewing those accounts for unauthorized access, and will provide more updates as we have them," said Reitinger, adding that even if the users had credit card numbers associated with the account, they were not at risk. The company will work with users who report unauthorized purchases made through the account.

A "large amount of data" obtained from one or more compromised user lists obtained from other companies, sites or sources was used in the attack, according to Reitinger. The fact that the "overwhelming majority" of log-in attempts failed is an indicator that the list came from an external source and not Sony, he said.

Considering the amount of username and password information that has been dumped this year alone, there are a lot of lists available for criminals looking for them. Analysis on password information stolen and leaked from sites like Gawker has shown that password reuse is rampant and a big security issue for online services.

Attackers are simply working on the assumption that people typically use and reuse the same account names and passwords across multiple personal online accounts, according to Geoff Webb, senior product marketing manager at Credant Technologies. Considering that Sony had to lock down 93,000 accounts, it appears that it "was a good assumption to make," Webb told eWEEK.

Even though Sony has clearly reacted quickly to stop this potential breach, users may simply see the incident as yet another Sony problem without stopping to consider who may be to blame, Webb said. "That makes it a no-win situation for Sony," he added.

Sony has reached out to affected users to prompt them to reset their passwords, according to Reitinger, who reminded users never to select a username-password combination that is associated with other online services or sites.

"We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account," Reitinger said.

In April, unknown attackers breached Sony's Qriocity video and music service, PlayStation Network and Sony Online Entertainment and stole information from more than 100 million accounts. The company shut down the services for over a month and a half to rebuild the systems and came under fierce criticism for security gaps, such as not having a CISO and not running updated software on the servers. Smaller attack groups also capitalized on Sony's woes, attacking and dumping data from other Sony properties in May.

As more and more content and services move online, the number of digital identities that consumers need to manage keeps growing, but identity management hasn't kept up, according to Webb. The industry still relies on a username and a password, a "paradigm created in the 1950s," which is a "terrible way to authenticate," Webb said.

"We're stuck with it because, for now at least, it's cheap and well-understood by users and developers," said Webb.