Want CNET to notify you of price drops and the latest stories?

The PlayStation Network breach (FAQ)

A rundown of what we know so far: how PSN got hacked, what Sony is doing about it, whether credit cards were stolen, and how the company is trying to regain the trust of its customers.

Erica Ogg Former Staff writer, CNET News
Erica Ogg is a CNET News reporter who covers Apple, HP, Dell, and other PC makers, as well as the consumer electronics industry. She's also one of the hosts of CNET News' Daily Podcast. In her non-work life, she's a history geek, a loyal Dodgers fan, and a mac-and-cheese connoisseur.
Erica Ogg
5 min read

It's been a roller coaster of a couple of weeks for Sony and its customers.

At first what seemed like an embarrassing network outage that kept customers from accessing PlayStation Network, Sony's online game play and streaming video service, turned out to be much worse: a sophisticated cyberattack made off with the customer data of 77 million PSN and Qriocity customers.

PlayStation Network breach

Sony wasn't very forthcoming with information at first--it was a couple days before it acknowledged why PSN was offline, and two days after that it confirmed the security breach. Then over the weekend, the No. 2 guy at Sony, Kazuo Hirai, took the stage at a hastily organized press conference in Tokyo to try to explain what led to the attack, what exactly was stolen in the intrusion on its network, and how Sony plans to compensate its customers.

And then just when it seemed Sony was on its way to start recovering from the debacle, more bad news hit: Sony said yesterday the same breach that compromised PSN and Qriocity customer information extends to Sony Online Entertainment customers too. Information about subscribers to the multiplayer online game service--names, addresses, e-mail, genders, birthdates, phone numbers, usernames, and passwords--was exposed, as was an "outdated" database of credit cards from 12,700 non-U.S. customers as part of the same intrusion on its network two weeks ago, Sony said in a statement.

Related links
Sony Online Entertainment data may have been stolen
Five questions for Sony about PSN breach
Sony to restore PSN services, compensate customers

Is the news about SOE where this story ends? Sony swears that its main credit card database wasn't compromised since it's separate from servers running PSN, Qriocity, and SOE. But the company's investigation into the breach continues, and it's possible there's still more to come.

In the meantime, we've pulled together all the available information about the attack and its fallout from the last two weeks and put it here. We'll update this FAQ as we find out more.

When will PlayStation Network and Qriocity be back online?
We don't know an exact day, but on Saturday night Sony said most PSN and Qriocity services will be available again "this week." On Tuesday, when it announced the breach, the company said services would be restored "within the week," which suggested Tuesday this week at the latest.

But even when Sony does flip the switch, not all services will be restored right away.

What will be available first: online game play for PS3 and PSP, watching downloaded movies and other unexpired rental content, Music Unlimited by Qriocity, friends lists, chat functionality, and PlayStation Home.

Most importantly, customers will finally be able to reset their password and manage their accounts.

How did the attack against PSN go down?
Between April 17 and 19, a so-far unnamed person illegally gained access to Sony's PSN servers in San Diego, Calif., by hacking into an application server behind a Web server and two firewalls. According to Sony Chief Information Officer Shinji Hajesima, the attack was disguised as a purchase, so it did not immediately raise any red flags. The vulnerability the attacker was able to exploit was known, according to Sony.

Sony flagged the attack on April 19 and on April 20 shut down PSN as well as Qriocity. The company hired security experts and contacted the FBI to investigate the exploit and find out what took place. Sony says it didn't actually learn for certain that personal information was exposed until April 25.

Sony described the attack as "very sophisticated" and still does not know the intruder's identity.

Did Sony really not encrypt passwords?
While credit card data was encrypted, Sony admitted that customer names, birthdates, addresses, user names, and passwords were not. But neither did it store them in cleartext, the company said today. Cleartext refers to storing information in a way that's readable to humans without any processing.

"While the passwords that were stored were not 'encrypted,' they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted," wrote Sony spokesman Patrick Seybold today. "But I want to be very clear that the passwords were not stored in our database in cleartext form."

Is there any evidence anyone's been the victim of identity theft or credit card fraud as a result?
Sony says so far they have not seen any evidence to suggest that. Last week, it was rumored that a group of hackers was selling a database of customer information and credit card data said to be from PSN and had attempted to sell it back to Sony. Company spokesman Seybold has repeatedly denied this.

There were 77 million customers with profiles set up on PSN that included their names, birthdate, and address, but only 10 million of them had uploaded their credit card information for purchasing and renting content, according to Sony.

What is Sony doing to make sure this type of breach doesn't happen again?
First, Sony Computer Entertainment is creating a new position, chief security information officer. SCE is the business division responsible for gaming at Sony. Whoever occupies the post will report to Hasejima, chief information officer of Sony.

Sony was already planning to move its PSN servers from San Diego to another unnamed location. As a result of the attack, Sony is speeding up that move.

Sony says it is upgrading PSN server system security, including adding automated software monitoring and configuration management, enhancing data encryption, and implementing more firewalls, Hirai said this weekend.

Sony keeps apologizing, but how will it make it up to me as a customer?
Sony says it will help customers enroll in free identity theft monitoring, something that will be handled differently depending on the region. There so far is not a lot of detail regarding how this will work, but a Sony spokesperson says more information will be forthcoming.

The company has also instituted a "Welcome Back" program to encourage its customers to return to using PSN. It will vary in different regions, but the basics are this: Sony will offer free downloads of "entertainment content," current PSN customers will get free PlayStation Plus (a paid premium service) for 30 days, current PS Plus customers who've already paid for a monthly or yearly membership will also get 30 days free (we still don't know how Sony plans to implement this--a refund? Or just an extra 30 days free?), and current Music Unlimited by Qriocitysubscribers get 30 days of free service.

The company hasn't yet said how it will compensate SOE customers.