Sony Online Entertainment was taken offline today, and the company warned users that their personal data may have been stolen as part of the computer attack that exposed the information of as many as 77 million PlayStation Network accounts two weeks ago.
The message displayed today on the Sony Online Entertainment website, which was taken offline. (Credit: Sony)
Earlier today, the SOE site, a multiplayer online gaming service used to host Sony's massive multiplayer online role playing games (MMORPGs) such as Everquest and DC Universe, said "SOE MAINTENANCE In Progress," followed by a message: "Dear Valued SOE Customers, We have had to take the SOE service down temporarily. In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately. We will provide an update later today Monday). We apologise for any inconvenience and greatly appreciate your patience."
In an updated announcement this afternoon, the company said that during its investigation into the PlayStation Network breach, it discovered that attackers may have also obtained Sony Online Entertainment customer names, addresses, email addresses, gender, birth dates, phone numbers, log-in names and hashed passwords.
"The information was discovered less than 24 hours ago and in response, we took down our services until we could verify their security," Sony said.
In addition, credit and debit card numbers and expiration dates (but not credit card security codes) for about 12,700 non-US customers that were in an "outdated" database from 2007, and about 10,700 direct debit records listing bank account numbers of customers in Germany, Austria, the Netherlands and Spain may have been stolen, the statement said.
"There is no evidence that our main credit card database was compromised," the company said. "It is in a completely separate and secured environment. We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible."
Also today, Sony said that the credit card numbers that were potentially exposed in the PlayStation Network breach between 17 April and 19 April were encrypted, but passwords were obscured with a weaker hash algorithm.
"While the passwords that were stored were not 'encrypted', they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said that the passwords had not been encrypted," the company said in a blog post. "But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link."
A Sony spokesman said that he did not know exactly how the financial information stored by Sony Online Entertainment was protected, but would try to find out.
Sony warned customers on 26 April that their personal information, including names, addresses, e-mail addresses, birthdays, PlayStation Network and Qriocity passwords and usernames, as well as online user handles, had been obtained illegally by an "unauthorised person." The company has said repeatedly that there is no evidence that credit card information was stolen.
Kazuo Hirai, chairman of Sony Computer Entertainment, held a news conference over the weekend where he apologised for the breach and said that the company would provide an identity theft protection service and "will consider" helping customers who have to be issued new credit cards. Only 10 million of the accounts had credit cards associated with them, he said. Sony has not provided more details on how the breach occurred. Services, which have kept PlayStation customers from playing games online and other customers from being able to stream movies since 20 April, are expected to be restored within the week, Hirai said.