PlayStation Websites Exploited, Hackers Use Previously Stolen Information (Update)

UPDATE: Sony’s senior corporate communications director, Patrick Seybold, has commented on the exploit issue via the PlayStation Blog.

“We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed,” Seybold writes. “Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up.”

So, no “hack,” but there was an exploit; seems like a matter of semantics to me. As of this writing, the web-based network login is still “down for maintenance.”

ORIGINAL STORY: Well, it looks like the hackers are not quite done with Sony, just yet. Sign-in capabilities on PlayStation websites has been disabled, and according to Eurogamer, this isn’t just routine maintenance. The site claims to have seen video evidence that an exploit has been discovered which allows anyone with a PlayStation Network user’s associated email address and birth date to take over the account; the exact same information compromised during last month’s data breach.

Eurogamer apparently watched the demonstration via Nyleveia, wherein a user was able to gain access to a PlayStation Network account, merely by having possession of an email address and birth date. The site has refused to elaborate on how exactly the exploit works – for obvious reasons – but after contacting Sony, all web-based login forms have been placed into “maintenance mode.” While it’s still possible to login through your console, those looking to change their password via emails sent out from Sony will be unable to do so, for the moment.

This possible account exploit comes only days after Sony began rolling out PlayStation Network and Qriocity services, following an external attack that left user data – including credit card information – vulnerable. The company had previously stated it planned to have all services restored by May 31.

Attempting to login to currently brings up a “site maintenance notice,” and urges users to “try again later.”

“A lot of people are saying that we should not have posted this information and simply contacted Sony, and you’re right in thinking this, however we contacted SCEE as soon as we had confirmed that the exploit was in fact real,” the Nyleveia post reads, “The problem was that at the time there was a good 8-9 hour stretch where SCEE would not see our messages and given the rate at which the exploit method was spreading in the dark corners of the internet, we felt as though we needed to publicize the exploit advising users to change the emails used for their PSN accounts…”

Hopefully, this is just a matter of Sony easily fixing an error, but one has to question how something like this happens after recent events. How does Sony, after spending a ludicrous amount of money on three security firms, purchasing user identity theft insurance, and losing nearly a month of lost profits, allow something as simple as knowing the STOLEN email addresses and birth dates of its users to slip through? Clearly, we don’t yet know the extent of the issue, or precisely what happened, but we’ll be sure to update you with any clarification.

In the meantime, think about possibly creating a separate email — just for PlayStation use — and using it when changing your account password.