The Sony hack: passwords vs. financial details

The details are coming out about yet another data breach, this time at Sony’s PlayStation Network. Light Blue Touchpaper has the details. (excerpts below, with my emphasis)

Sometime last week, Sony discovered that up to 77 M accounts on its PlayStation Network were compromised. Sony’s network was down for a week before they finally disclosed details yesterday. Unusually, there haven’t yet been any credible claims of responsibility for the hack, so we can only go on Sony’s official statements. The breach included names and addresses, passwords, and answers to personal knowledge questions, and possibly payment details.

… regarding the leaked passwords. The risks here are very real—hackers can attempt to re-use the compromised passwords (possibly after inverting hashes using brute-force) at many other websites, including financial ones. There are no disclosure laws here though, and Sony has done nothing, not even disclosing the key technical details of how passwords were stored. The implications are very different if the passwords were stored in cleartext, hashed in a constant manner, or properly hashed and salted. Sony customers ought to know what really happened.

…this is a serious market failure. Sony’s security breach has potentially compromised passwords at hundreds of other sites where its users re-use the same password and email address as credentials. This is a significant externality, but Sony bears no legal responsibility, and it shows.

This is yet another example of why reusing passwords, and perhaps even user ids is a bad idea.  In this case, part of the exposed data includes the answers to all those secret questions – you know, the top secret ones that give you a free give-me-a-new-password pass?

You all know I’m a little paranoid online.  My mom is Kermit the Frog.

Comments are closed.