“We temporarily took down the PSN and Qriocity password reset page,” wrote Seybold, quickly adding “Contrary to some reports, there was no hack involved.”
The “exploit” involved the PSN web-based password reset page, where whistleblower Nyleveia claimed anyone could change someone else’s password using their PSN account email and date of birth—both details possibly (though not confirmedly) obtained by hackers in the original mid-April PSN breach.
Seybold seemed to confirm this as well: “In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.”
“Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3,” said Seybold. “Otherwise, they can continue to do so via the website as soon as we bring that site back up.”
The login page was still down Thursday morning.
A hack is technically defined as “use [of] a computer to gain unauthorized access to data in a system,” where an exploit isn’t formally defined in computer terms, but means to “make full use of and derive benefit from (a resource).” It’s splitting hairs to call the PSN password reset issue one or the other, but as I noted yesterday, “hacking” usually involves breaking into something, where “exploiting” involves taking advantage of some preexisting deficiency to gain some advantage from a broken or vulnerable process (as opposed to flat out breaking into a system).
So yes, Sony was hacked. Or exploited. Or both, depending on your stance. All that matters to PlayStation gamers, I’m betting, is that the vulnerability was patched quickly: if we go with Nyleveia’s version of events, within 15 minutes of notification. That’s not such a bad thing as reaction times go, and it’s also important to bear in mind Sony’s under unprecedented scrutiny levels, so any little slip that might otherwise receive passing notice ends up hyper-magnified.