Because Microsoft were quicker to respond to the problem of credential stuffing attacks than most other online services.
See this thread for details: http://www.neogaf.com/forum/showthread.php?t=1324360
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
My PSN was hacked 3 weeks ago, so Sony disabled access to every game I own on PS4.
- Thread starter dock
- Start date
Because Microsoft were quicker to respond to the problem of credential stuffing attacks than most other online services.
See this thread for details: http://www.neogaf.com/forum/showthread.php?t=1324360
royox
Member
+1
I have 2FA on mine because I got scared about being bullyed by gaffers telling me "BUT WE HAVE ONE THREAD EVERY WEEK!" if my account got fucked.
Leyasu
Banned
Still waiting on this forum to STICKY this with bold text....maybe flashing bold text, haha.
The reason people tend to act that way is that it would be hard to miss all the "Sony account hacked"..."You need to enable Two Factor" posts. Unless you're new of course. We really need a big bold Sticky.
Solid Raiden
Neo Member
I was hacked months ago. Someone used the Sony site to deactivate my ps4 and make their ps4 prinary. I did not know of TF Authentication until then and immediately activated it. The hacker never accessed my profile again but Sony was no help in reactivating my PS4 and I was finally able to use the site to deactivate my ps4 last week.
endlessflood
Member
I don't think you understand what's happening in these situations.
The OP's account wasn't hacked by somebody who was able to break into Sony's servers and extract his username and password from a database. If that happened, everyone's PSN account would be compromised, and Sony would legally have to publicly acknowledge that. We'd all be fucked.
What happened is that somebody already knew the OP's username and password on the PSN, and so they just entered those details and were able to log in. The PSN is designed to allow access if someone provides the correct username and password; every service is.
So how did someone else know what the OP's username and password were for both the PSN and Twitter? Almost certainly, the OP used the same username and password combination across multiple sites. Unfortunately, many big sites get hacked, and the hackers are able to extract username/password combinations from them. The website that a few people have posted (haveibeenpwned.com) will tell you if your username (email address) was used on a site that had a data breach like that. Chances are, it was.
Now once the hackers have these enormously long lists of username/password combinations, they realise that many people are really dumb: instead of using unique passwords, they'll actually reuse passwords across multiple sites. So now the hackers just try the username/password combinations on other big sites, and hey presto, for the accounts of many dumb people they're able to log into other sites using the same username/password combination.
2FA is a great defence in these sorts of situations; it's not perfect, but it makes it nearly impossible for the hackers to just reuse your (non-unique) username/password combination. The big problem is this though: the kind of (dumb) people who reuse the same username/password combination across multiple sites are also the sorts of people who will never bother enabling 2FA. Conversely, the sorts of people who enable 2FA are the ones who are smart enough not to reuse username/password combinations in the first place. When these threads used to pop up, everyone would say "this is because Sony doesn't offer 2FA!" As I and many others pointed out though, 2FA was never going to make any difference, because the dumb people who reused passwords were never the sorts of people who were going to enable 2FA anyway. Sadly, time and time again, we've been proven right.
DrDamn
Member
Given the OP point that it was a unique password on PSN I think it's more likely the email account associated was compromised. Hence I think along side enabling 2FA they should change their email address password too.
If they have the email address that gives them access to lots of info - like PSN name, Twitter account name. So they just request a password reset whilst watching the email account and bingo - they have account names and passwords.
GreenMonkey
Member
Long post incoming.
I work in Cybersecurity. Incident response. Think malware and APT group attacks.
It's bad. There's plenty of password theft that companies don't know about so doesn't get reported to the various sites (like the owned site). A lot of places don't know they are hacked for years (look at Yahoo). Forum accts and such are ripe pickings for this, for example.
If it's not that, it's a keylogger / backdoor Trojan on their computer or phone. Most people don't even know they are infected.
If not those, CPU/GPU power and cloud computing has gotten ubiquitous enough to crack passwords over time. I'm sure there are groups out there trying to break into some accounts once a day from rotating IPs. If you do that to enough known email addresses, using a rainbow table or the like, you'll likely get in eventually.
You need two-factor, at minimum, on any email account that has digital purchases on it. You should also have two-factor on those accts, really, if you don't want some random CC charges you'll have to tangle with.
I actually have a reusable password I use for low-hanging fruit. Because I don't really care that much if one of my forum accts or the like are comped. Activity there will warn me my accounts under attack. But I don't use it on anything remotely important.
You don't need decent passwords on all your accounts. But you do on the accounts that you care about.
That said, everyone is being a bit mean to the OP. Most people don't keep up on this stuff. Power users are considered people who know how to do an Excel formula.
Inform and help, but I think derision is uncalled for. It sucks to have your stuff hacked. I had XBL happen years ago, before TFA (yes, it happens to them too). I kept close eye on those accts though and managed to get home and password reset my acct in about 15 min, but not before they had drained my PayPal account and overdrafted the acct it was associated with.
I agree the OP should check their email addy. Google and Microsoft have a recent activity section you can check to see what IPs have been accessing your acct.
I'd be hesitant to call people 'dumb' like you do several times, almost excusing Sony's shortcomings entirely.
Sony's response and attitude to dealing with it seems rather defective, especially comparatively to other similar services.
The chap shouldnt be locked out of access for his games for so long or worse, with a chance of never gaining access to them again. Then on top of that for him to be blamed for going round the hurdles of sorting this out, and tolerating people that say things along the lines of 'im not sympathetic to people not signing up to 2fa'.
I get it; many people don't protect their passwords like they should but the default view shouldnt be to blame the user, esp when he is saying his pw is unique etc.
As it stands, if a PSN account gets hacked its as if WE the users should be blamed and Sony gets none of that whatsoever:
This thread inspired me to enable 2-step finally. The only reason I hadn't before is because I don't have my own cell phone- the one I use is a work phone, so I felt like I shouldn't link that number to PSN. But it seems the risk of getting hacked is just too high, and I'm not willing to take the chance. I'll disable it if I ever lose the phone I guess.
The news is a 24/7 downpour of fearmongering about how we should plug our sinks to prevent immigrants from sneaking through the pipes. It's easy to dismiss offhand comments about hacked accounts, especially if your account feels low profile.
Until this year I was confident enough with that password and still don't remember any time I used it elsewhere. I know a handful of people that insist we should all have complex computer generated passwords but I found the idea of having passwords too complex to remember or comfortably type is awful (please no horse battery, that doesn't help).
DC1
Member
DrDamn
Member
Have you changed the password on your email account associated with the PSN account? You need to.
Theslammer
Member
I didn't know about the two-step authentication on PSN.
Due to this thread, however, I now have it activated.
Due to this thread, however, I now have it activated.
TechnicPuppet
Nothing! I said nothing!
Who did everyone blame when this happened this time last year?
yep, new passwords and 2FA on all my email accounts.
texhnolyze
Banned
2FA is the most absolute anti-hacking device, right?
What if Sony makes it that 2FA is mandatory for every PSN account? Is it possible?
Like, your account will be non-activated if you're not turning it on. Or it's an automatic process when someone make an account.
What if Sony makes it that 2FA is mandatory for every PSN account? Is it possible?
Like, your account will be non-activated if you're not turning it on. Or it's an automatic process when someone make an account.
Night.Ninja
Banned
Exactly op must have forgot what forum he was on.
do you use a computer generated password for all of your accounts?
how many characters and how much complexity until you are actually safe?
I've used LastPass for a while and I have more complex security on a number of accounts, but PSN was not one of them.
So not having a complex password has put you in this situation. What is more of an inconvenience, typing a complex password or what you are currently going through? It's not really fear mongering when it happens to people everyday, especially with PSN.
Revolutionary
Member
It's probably just social engineering. Someone on the internet that he got chummy with used the info they learned to hijack his account by correctly answering security questions. It's the oldest trick in the book and it happens all the time.
endlessflood
Member
If somebody yells out their PIN every time they use an ATM, is it the bank's fault when somebody eventually steals their card and withdraws their money?
As to customer service, judge away. I haven't really followed that side of things, so maybe Sony are total asshats.
The thing that really annoys me is the inane human beings who take no responsibility for their own security, and then blame others. Sort yourself out, it's not that bloody hard people.
Yup. 12 characters minimum is recommended using numbers, letters (upper and lower) and symbols where allowed.
It took me some time to switch all my accounts this way but I feel a lot better now.
Of course I also have 2FA enabled on LastPass itself and any account that supports it, no matter how insignificant.
Gravy Boat
Member
This is where I'm at. I absolutely think Sony could do more to help with these situations after the fact, but it's almost entirely the users fault that they've ended up in this situation in the first place most of the time. PSN accounts don't get 'hacked', people just get your username and password/security answers and log in.
Sony can't stop people from entering your password once they get it, but they should be able to do more to help people get their accounts back.
King Gilga
Member
Owning a cellphone is like the bare minimum of being a functional human being in a first world country dude.
ViolentP
Member
Yep. Shouldn't be a surprise that anything stored digitally of any value will have attempts of theft against it. The right security measures simply have to be taken. Just like homes, cars, etc...
Protect your investments regardless of what form they come in.
Because the majority of the cases reported on here appear to be results of phishing. In this particular instance the hacker also got access to the twitter account.
Give War A Chance
Member
I know this is likely a semi-joke post but I honestly do worry about this in the future, only owning licenses to a game instead of an actual game...
Welcome to PC life I guess.
ViolentP
Member
It is not dissimilar to physical media in that regard. I have digital libraries going back to the beginning of Steam and I have never had any sort of breach to my personal data. I attest that to being proactive about security. The same way that if you keep your doors locked in your home or get a security system, the chances of theft are lowered.
I really see the two things as being handled identically to each other, only difference is the options on how you protect them.
BigEmil
Junior Member
PS4 is 2x the userbase of Xbox so more chances of these happening
Rellik
Member
Haha, so what you're saying is... it works.
also makes PSN accounts a bigger target
grap3fruitman
Banned
This is the very first I'm hearing of 2FA on PSN. I don't see anything in the menus for it.
Rellik
Member
It can't be mandatory because not every single person on PSN has a mobile phone. We have a guy in this very thread who doesn't.
https://www.playstation.com/en-us/account-security/2-step-verification/
If you want to do it on your console: https://www.playstation.com/en-gb/g...nd-details/ps4--2-step-verification/#activate
Other places to have 2FA activated:
- iCloud/Apple Account
- Amazon
- Basically any service that offers it
Peroroncino
Member
Yeah, and in all those threads there are some people prone to victim blaming, but why? It's not the guy's fault that Sony's security is a joke and 2FA [which isn't even highlighted enough feature by sony themselves] is practically a must on that platform. Why isn't there a weekly thread about hacked XBL account? Sony needs to step up their game, especially since their customer service and handling of hacked accounts is probably even worse than their security.
Of course personally, after about tenth or so thread on gaf about hacked psn account I decided to enable 2FA, but I still don't think it's a solution, especially for people who don't want to give their number to Sony or don't even have a phone [yea, it's not that uncommon as some may think]. And I definitely don't agree with ganging up on people who just lost a shitton of games/money shouting 2FA at their face.
Anyone who doesn't have access to a mobile phone number in 2017 is probably too poor to have a valuable PSN account.
iamsirjoshua
Member
Good luck OP, really hoping you get everything back.
MegaManTrigger
Banned
Texting app, but trust me, you don't want to go there. I learned from my mistake. If you ever lose the number (iirc most texting apps don't give you a permanent number and the number disappears if you're inactive), you will have zero ways of accessing the 2FA codes. And guess who had to go through the pain of convincing CS to turn off 2FA because I'm the valid owner (combined with the stupidity of losing backup codes)?
Thankfully things worked out, but goddamn that was stressful.