Sony PlayStation Facing Yet Another Security Breach
Special to CNBC.com
Just days after Sony brought its PlayStation Network back to life after one of the biggest online security breaches in history, the company may have another problem on its hands.
Sony has blocked user logins on all PlayStation Websites after reports began to circulate on gaming sites and on hacker message boards about an exploit — essentially, a hole or oversight in the system's security that hackers can use to gain access — that could allow third-parties to take control of user accounts.
The exploit, first exposed by Nyleveia.com, apparently allows third parties to change the password on accounts by utilizing the user's email address and date of birth — data that was stolen from over 77 million PlayStation accounts in the initial cyber attack.
Users are still able to access their accounts and the PlayStation Network through their PlayStation 3 consoles. Only Website access has been blocked at this time, with a message saying "The server is currently down for maintenance. We apologize for the inconvenience. Please try again later."
Sony did not return calls seeking comment about the reported exploit, but said on the company's official blog this afternoon, "In the process of resetting of passwords there was a URL exploit that we have subsequently fixed." (As of 3pm ET, however, logins via the Web were still being blocked.)
Sa far, there have been no reports of any accounts that were compromised by this exploit and Sony seems to have taken quick action to ward off problems.
CNBC.com has seen a video demonstrating the exploit. In it, third parties are easily able to change a password even without having access to the original user's email account. Any account that is affected will likely know so quickly, however, as they will receive an automated email from Sony informing them that their password has been changed.
News of the potential security hole is far less devastating than the initial attack, which ultimately saw data stolen from over 100 million user accounts. Sony took the PlayStation Network offline for 3.5 weeks to assess the damage and rebuild the system with new security measure in place.
Last Saturday, it began welcoming customers back, starting a phased relaunch of the system that included the return of online play and the use of third party services such as Netflix and Hulu Plus.
Before users could sign on, though, they were required to download a patch and reset their account passwords, either via the PS3 where they had first set up their account or via the Website.
While the rollout occurred in North American and Europe, Sony was not able to relaunch the system in Japan, as officials there did not allow it, saying they were not yet convinced the system was secure.
"We know even the most loyal customers have been frustrated by this process and are anxious to use their Sony products and services again," said Kazuo Hirai, Sony' executive deputy president in a statement Saturday. "We are taking aggressive action at all levels to address the concerns that were raised by this incident, and are making consumer data protection a full-time, company wide commitment."
The company has come under fire for taking up to a week before informing consumers that their data was at risk. While it has been mainly apologetic for this, Sony CEO Sir Howard Stringer defended the timing yesterday in a roundtable discussion with reporters Tuesday.
"This was an unprecedented attack," he said. "A lot of these breaches are never reported by companies or it takes companies a month. You're telling me my week wasn't fast enoough?"
The data breach will have an economic impact on the company, but Sony says it is still determining how big the bill will be. The company's shares have fallen 8 percent since April 20, when it took the PlayStation Network offline because of the far-reaching and sophisticated cyber attack. Get real-time Sony quotes here.