When talking about data leaks there's a couple of important points to remember. (1) people who live and work in the glass house of data management really shouldn't throw stones (so I hope this doesn't come back to haunt me) and (2) one can never condone criminal actions of alleged hackers...
That said, it really couldn't have happened to a nicer company. Firstly there's Sony's relentless legal pursuit of George Hotz (GeoHotz) - an enthusiast who worked out how to bypass the digital locks that prevent Playstation owners running their homebrew software on their own Playstation (note: not illegally-copied games, but useful stuff, like Linux).
And secondly there's an experience of a good friend of mine who last summer found some questionable credit card transactions linked to their Playstation account. Sony's response was incredible. No, he couldn't have a refund. Yes, he could pursue a complaint with his card provider under the Consumer Credit Act 1974 or Distance Selling Regulations however...
... If he filed a complaint he was informed he would lose all access to his existing Playstation account, including gamer ID and all purchased titles! Simply incredible. If anyone from Sony wants to comment I've reserved a space right here:
Space intentionally left blankAnd on the reported attack itself, there's no excuse for storing user passwords unencrypted. It's well established that people will use the same password for various purposes. The public know this is a bad idea but keep on doing it.
The solution is not to shake one's head and say "dear me the public keep on doing this bad thing..." The solution is readily available in the form of either asymmetric or one-way encryption.
The encryption technology has been freely available for years. The database stores an encrypted representation of the user's password.
When the user enters their password, the software on the web server knows how to turn the plain text password into the encrypted form and check against the database. Because the algorithm used is asymmetric (eg like PGP), having the cipher key and algorithm to encrypt the password does not help in any way decrypting the encrypted password. It may sound complex but I assure you it's all pretty standard stuff.
1/10 Sony - and the 1 point is for coughing to the leak.
Question (via twitter):
"have sony actually confirmed passwords where stored in plaintext? I'd assumed as much but i'm finding it hard to believe."Answer: Yes, in their own press release Sony state: "PlayStation Network/Qriocity passwords and login" are amongst the details obtained by an "unathorized person".
UPDATE 2-May: Sony have released a press statement effectively claiming now that passwords were indeed hashed and therefore your password might not have been lost to hackers.