No, Sony Wasn’t Hacked, but They Were Mass-Attacked
By Matt Peckham
It may be tempting to call any illicit online behavior a “hack,” and it’s certainly part of attracting clicks, but in actuality, this story circulating about Sony being hacked gets the most critical detail dead wrong.
Sony admitted in an official PlayStation blog post last night that it had “detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment…services to test a massive set of sign-in IDs and passwords against our network database.” The IDs and passwords probably came from a “one or more compromised lists from other companies, sites or other sources.”
Note what’s absent from that statement, and not because Sony’s spinning. Trying user names and passwords—en masse or no—isn’t a hack, or if that’s what we’re calling a “hack” these days, the word’s lost all meaning.
But no, it really hasn’t. A hack involves gaining unauthorized access to data in a system. Unless Sony’s not telling us something, it sounds like all these folks gained (fleeting) access to was the purchase power of a relatively small number of Sony online accounts.
Sony says that since “the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks,” adding that it’s “taken steps to mitigate the activity.” And mitigate—perhaps by way of IP blocking, or attempting to secure a copy of the list to safeguard potential affected accounts—is all you can really do here. The only way to firewall a system from someone trying an ID or password that might not be theirs would be to disable logins for everyone. Sony’s real firewall exists between those online accounts and its backend services.
What’s more, Sony claims “Less than one tenth of one percent (0.1%) of our PSN, SEN and SOE audience may have been affected.” The company then breaks that down by numbers, admitting there were about 93,000 accounts globally (about 60,000 PSN and SEN, about 33,000 SOE) in which the login attempts succeeded, but the company’s already locked those accounts. And of those 93,000, “Only a small fraction…showed additional activity prior to being locked.”
Sony adds that anyone with credit card info on file is safe, that it’ll work with anyone who finds their account was used to make unauthorized purchases, and that you’ll know you’re among the affected if you receive an email from Sony prompting you to reset your password.
Again, the semantics matter here. Had Sony been truly hacked, we’d be talking about another dismaying flaw in their cybersecurity setup. Instead, we’re talking about the fallout from a prior attack, in which hackers seized and reportedly released Sony user account-related information.