PlayStation 3 owners in the audience will likely have noticed an inability to connect to the PlayStation Network (PSN) over the past week, though Sony today made an announcement revealing that things are much worse than a week without access to online multiplayer gaming. At some stage between the 17th and 19th of April, a hacker gained access to Sony's systems. Sony believes the hacker was able to retrieve the personal information of 77 million PSN accounts, and say it is possible that credit card details were also retrieved.
Before we delve further into the story, I want to highlight one important lesson I hope everyone learns from this incident: you should not use the same password for multiple online services. If you have a PSN account with the same password as other services, I hope you've already stopped reading and started changing your passwords.
Sony made the announcement on the 26th – a full week after learning of the intrusion – though it is plausible it took the external forensic team this long to determine the personal information had been retrieved, given the Easter break.
A post over at Reddit by a member of the PS3 hacking scene highlights a series of recent hacking milestones, and presents a theory that Sony turned off the PSN to prevent users of custom firmware (CFW) from using a recently discovered method of pirating PSN content. While this is likely not the case given Sony's admission of the leaked personal information, it's still worth noting the claim that CFW users (the first of which was released in January this year) have had access to the Sony developer network "the whole time", and that the developer network inherently trusted all connected clients – a massive no-no in client/server architecture and most certainly a potential attack vector.
Marsh Ray has blogged a theoretical worst-case scenario, where hackers manage to fool some percentage of the 50 million PS3 owners out there into installing a firmware that grants back-door access to the PS3. The resultant botnet could be used to eat modern cryptography for breakfast or, far more plausibly, distributed denial-of-service attacks.
Hacktivist group Anonymous has denied responsibility for the attack, which raises the important question as to who has motive. Is this retribution against Sony for the prosecution of PS3 hackers fail0verflow and George Hotz? or is it an organized crime group who can capitalize on the biographical information of 77 million people?
We suspect there will be more questions than answers for a long time, if not forever. In the meantime, we suggest disconnecting your PS3 from your network and keeping a close eye on your credit card statements.