Sony has confirmed that a fresh attack on its networks has impacted 93,000 accounts.
According to a statement by Sony CISO Philip Reitinger, it detected attempts on Sony Entertainment Network (SEN), PlayStation Network (PSN) and Sony Online Entertainment (SOE) services to test a massive set of identities and passwords against its network database.
He said the attempts appeared to include data obtained "from one or more compromised lists from other companies, sites or other sources". Due to this, Sony determined that "the overwhelming majority of the pairs resulted in failed matching attempts; it is likely the data came from another source and not from our networks".
Although Reitinger said that less than one per cent of the network's users may have been affected, their accounts have been temporarily locked and, as a preventative measure, it is requiring secure password resets for the PSN and SEN accounts that had both a sign-in ID and password match. Those affected will receive an email prompting them to reset their password.
Reitinger said: “Only a small fraction of these 93,000 accounts showed additional activity prior to being locked. We are currently reviewing those accounts for unauthorised access and will provide more updates as we have them.
“Please note, if you have a credit card associated with your account, your credit card number is not at risk. We will work with any users who we confirm have had unauthorised purchases made to restore amounts in the PSN/SEN or SOE wallet.”
He also confirmed that SOE accounts that have been matched have also been temporarily turned off.
“We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account,” he said.
Graham Cluley, senior technology consultant at Sophos, said the only silver lining for Sony is that this breach appears to be much smaller in scale than the attacks that hit it earlier this year. He added that hackers gained access to the Sony accounts by working through a large database of stolen usernames and passwords, which are believed to have been sourced from somewhere else.
“That suggests that the accounts which were broken into were using a non-unique password. In other words, you were using the same password on the Sony PlayStation Network as you were on website X,” he said.