Sony Corp. has reportedly hired three security firms to assist in the investigation of security breaches in the Sony Online Entertainment and PlayStation networks.
According to The Wall Street Journal, Sony hired an internal audit and consulting firm and two computer forensics firms. The first is Protiviti Inc. The latter two are Guidance Software and Data Forte Corp.
Sony has said a hacking attack compromised the information of more than 100 million customers of the two Internet gaming services. The PlayStation network was the most exposed, with 77 million users and perhaps 2 million credit card numbers taken. Sony Online Entertainment had nearly 25 million accounts compromised with about 23,400 credit card numbers stolen, about half from outside the U.S.
Sony has assured customers that while the hackers got names, passwords and credit card details, the latter two are not easy to decipher. The passwords are hashed, or turned into strings of random-looking characters of varying lengths. The credit card numbers are encrypted.
However, a number of experts have said the combination of names, birthdates, login names and emails could enable phishing attacks, in which an email is sent to the owner of the password and asked to change it, by being sent to a fake version of the site they want to go to. Another tactic is to use that information by just telling the network that the password is lost.
Hashed passwords can be cracked by rainbow tables which are simply tables of every possible output of a hash function with a given length of text. With the password, a hacker would gain access to an entire user's account.
The attacks first came to public attention on April 20, when the PlayStation Network was shut down. In the course of investigating the breach Sony discovered that the Sony Online Entertainment network had also been hacked, with the user information stolen on April 16 and 17.
Sony Online Entertainment provides multiplayer games for personal computers. The PlayStation Network, which provides online services to PlayStation consoles.
Sony apologized to customers for the PlayStation network breach but has not yet provided details of what went wrong.
The attacks have prompted queries from members of Congress, and resulted in calls for tighter regulations on the handling of personal information.
For its part, Sony is offering 30 days of free service to SOE subscribers. A similar offer was made to PlayStation Network users.