Skip to main content

Sony Online Entertainment breached: 'outdated database' included 24.6 million accounts, thousands of non-US credit cards

Sony Online Entertainment breached: 'outdated database' included 24.6 million accounts, thousands of non-US credit cards

Share this story

When it rains, it pours. Sony Online Entertainment has revealed that it, too, has fallen victim to the same cyber attack that hit PlayStation Network. Go on, take a second to let that sink in.

According to the official press statement, an "outdated database" from 2007 was hit on April 16th and 17th, with the hackers in question gaining access to 24.6 million SOE accounts (US and international), 12,700 non-US credit cards, and 10,700 direct deposit record (read: bank information) from customers in Austria, Germany, Netherlands and Spain. I've independently confirmed with SOE that no US credit card or banking information was located on the database.

The account information includes much what you'd expect (and wish wasn't so): name, address, email, birthdate, gender, phone number, login, and hashed password. The 10,7000 direct deposit record are particularly worrisome, as they include bank account number, account name, customer name and customer address.

I reached out to SOE, who explicitly told me that this was not a second attack, that this shutdown of services is related to the ongoing investigation of the April intrusion that hit PSN to the tune of 77 million accounts. The company is offering 30 days of additional time on subscriptions in addition to compensating one day for each day the system is down. More information on a "make good" plan for the PlayStation 3 MMOs will be announced this week. The company will also assist in helping customers enroll in identify theft protection services — more details to follow.

Press release is below. And... sigh.



Breach Believed to Stem From Initial Criminal Hack of SOE

Tokyo, May 3, 2011 – Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT). SOE is based in San Diego, California, U.S.A.

This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.

With the current outage of the PlayStation® Network and Qriocity™ services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system. Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.

On May 1, Sony apologized to its customers for the inconvenience caused by its network services outages. The company is working with the FBI and continuing its own full investigation while working to restore all services.

Sony is making this disclosure as quickly as possible after the discovery of the theft, and the company has posted information on its website and will send e-mails to all consumers whose data may have been stolen.

The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:
· name
· address
· e-mail address
· birthdate
· gender
· phone number
· login name
· hashed password.

In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:
· bank account number
· customer name
· account name
· customer address.

SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a "make good" plan for its PlayStation®3 MMOs (DC Universe Online and Free Realms). More information will be released this week.

Additionally, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.

Sony Online Entertainment LLC (SOE) has been a recognized worldwide leader in massively multiplayer online games since 1999. Best known for its blockbuster hits and franchises, including EverQuest®, EverQuest® II, Champions of Norrath®, PlanetSide®, Free Realms®, Clone Wars Adventures™, and DC Universe Online™, SOE creates, develops and provides compelling online entertainment for virtually all platforms, including the PlayStation®3 Computer Entertainment System, Personal Computer, mobile and social networks. SOE is building on its proven legacy and pioneering the future of the interactive entertainment space through creative development and inspired gameplay design for audiences of all ages. To learn more, visit