I just received this in the mail today:
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network password and login, and PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. If you have provided your credit card data through PlayStation Network, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
Wow. Epic fail.
Don’t the programmers at Sony understand the most basic rules about storing personal data? You never store it in the clear. And data for verification purposes should never be stored at all – it should just be HMAC-ed and the fingerprint/hash stored instead.
On my part, I did not store any credit cards with Sony because I have never bought anything from the PSN (and to avoid my nephew accidentally buying anything off the PSN). As for my passwords, I have been practicing new password policies for a while now. So, I think that I should be safe.
While I understand that Sony could just be playing it safe and saying that everything that they store could have been stolen, but this does not help me sleep better at night, knowing that Sony has my data.
No wonder they need to rebuild PSN from the ground up. They are quite screwed. Their new firmware introduced this hole and they cannot patch the consoles through the PSN until the PSN is secure. It’s a security nightmare indeed. Then, they need to re-architect the entire system and restore all the data.
If we thought that the Amazon down-time was bad, this is much worse. Lawsuits!