User data stolen in Sony PlayStation Network hack attack

Poorly secured system to remain offline

Sony is warning its millions of PlayStation Network (PSN) users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts.

The stolen information may also include payment-card data, purchase history, billing addresses, and security answers used to change passwords, Sony said on Tuesday. The company plans to keep the hacked system offline for the time being, and to restore services gradually. The advisory also applies to users of Sony's related Qriocity network.

Sony's stunning admission came six days after the PlayStation Network was taken down following what the company described as an “external intrusion”.

Sony had already come under fire for a copyright lawsuit targeting customers who published instructions for unlocking the game console so it could run games and applications not officially sanctioned by the company. The criticism only grew after Sony lawyers sought detailed records belonging to hacker George Hotz, including the IP addresses of everyone who visited his jailbreaking website over a span of 26 months.

Hackers howled with displeasure saying they should have a right to modify the hardware they legally own. Sony recently settled that case, but Hotz, whose hacker moniker is GeoHot, has remained highly critical of the company. Many have also objected to the removal of the so-called OtherOS, which allowed PlayStation 3 consoles to run Linux.

Sony's advisory on Tuesday means that the company was likely storing passwords, credit card numbers, expiration dates, and other sensitive information unhashed and unencrypted on its servers. Sony didn't say if its website complied with data-security standards established by the Payment Card Industry.

Sony reminded users located in the US that they're entitled to receive one credit report per year from each of the three major credit bureaus. The company didn't offer to pay for any sort of credit monitoring service to help ensure the information it lost isn't used in identity-theft ruses against its users.

“When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password,” advises a letter that Sony is sending to its users.

Of course, that suggestion assumes users continue to trust Sony to safeguard their information and stand behind assurances that the PlayStation Network is secure, and at the moment there's little evidence to support that assumption. ®

Sponsored: Network DDoS protection