Sony's security team is having a rough year. Just over four months after fully restoring its PlayStation Network from a crippling (and very expensive) hack this spring, their new cyber security chief Philip Reitinger--he's only been on the job a month--announced Tuesday night on the PlayStation blog that the hackers are back. This must be one of those "UGH" moments for Sony users, but compared to the first attack, it's not as bad.
This time around, hackers attempted to test a database of log-ins and passwords against Sony's networks and compromised a total of 93,000 accounts on Sony's Entertainment Network, PlayStation Network and Online Entertainment Network in the process. Reitinger says that his team has "taken steps to mitigate the activity" and insists that none of the users' credit card information was ever at risk, though he does hint at unauthorized purchases being made in the network. For a bit of perspective, the April attack on Sony by Anonymous and LulzSec exposed the personal data and possibly the credit card numbers of some 70 million subscribers. The PlayStation network was offline for 44 days, and the entire fiasco ended up costing Sony an estimated $171 million. This latest hack, says gadget blog Electronista, is a "minor embarrassment" in comparison. So far, none of the usual suspects at the various hacktivist groups have taken credit.
If anything, Sony's continued misfortune serves as a teaching moment for all internet users. In the latest issue of The Atlantic, James Fallows describes what happened after a hacker broke into his wife's Gmail account, and in figuring out how these things happens and how companies like Google are able to respond, he provides a simple solution for people to protect themselves against attacks:
Use different passwords. Not hundreds of different ones, for the hundreds of different places that require logins of some kind. The guide should be: any site that matters needs its own password--one you don't currently use for any other site, and that you have never used anywhere else.
"Using an important password anywhere else is just like mailing your house key to anyone who might be making a delivery," Michael Jones of Google said. "If you use your password in two places, it is not a valid password."
The sort of database test that Sony caught this week is one way that hackers verify particular users' log-in info that might help them access more lucrative websites like bank accounts. In addition to taking advantage of more secure log-in options and choosing good passwords, keeping a number of different log-in accounts is the best protection against a hack attack. Sony, meanwhile, looks like its making some progress increasing its network security. Maybe next year they can go six whole months without a major breach.