Don't freak out: despite widespread reports you might have seen today, the alleged "major security breach" affecting the PlayStation Network and other services could very well be a fake.
UPDATE (9:18pm): Sony sent over a statement tonight:
"We have investigated the claims that our network was breached and have found no evidence that there was any intrusion into our network. Unfortunately, Internet fraud including phishing and password matching are realities that consumers and online networks face on a regular basis. We take these reports very seriously and will continue to monitor our network closely."
Original story follows:
This morning, a number of websites wrote about the purported breach thanks to a CNET report that claimed an anonymous group had "released a log of customer logins" across PSN, Origin, and Windows Live, among other online services. "PSN hacked again!" proclaimed one website.
There are a few red flags in the original report, though. For one, CNET says something called 2K Game Studios has been hacked. There's no such thing as 2K Game Studios. More bizarrely, the report's only source is a Pastebin posted on Twitter by the alleged hackers, who have also taken responsibility for a number of other hacking and DDOS attacks over the past few months. There is no evidence that anything in this Pastebin is real.
The Pastebin in question is a list of several thousand accounts and passwords that purportedly belong to PSN, Windows Live, and "2K" users. It certainly appears upon first glance to be a varied list of accounts and passwords... but are any of them legit?
This morning, I went through a few dozen random PSN accounts in the password to see which ones actually worked. Just trying to log into the accounts wouldn't have been the best test—as if this was real, it's likely some of them would have changed their passwords by now—so instead I went to the Change Your Password page on Sony's website to try and verify if those accounts were ever used in the first place.
Every single account tested gave me the message "Not a valid e-mail address. Please try again," indicating that those accounts weren't signed up for the PlayStation Network at all.
Similar tests on the Pastebin list of Windows Live accounts reveal that the listed e-mails are indeed linked to real addresses, though none of the listed passwords worked for me.
UPDATE (11/24): Microsoft says they weren't hacked either:
We immediately investigated reports regarding some Microsoft Accounts including Windows Live and Hotmail and can confirm that no Microsoft site or service was compromised. Microsoft takes account security and privacy seriously. Should we identify any specific account at risk for any reason, we will take action to protect the account. To help keep your information safe, we encourage you to set strong passwords, change passwords regularly and avoid using the same password for multiple accounts. For more information on password security, visit our website atwww.microsoft.com/security.
As for the 2K accounts? Though the hacking group claimed to have "800,000 from 2K," it's not really clear what they're referring to. There is no universal account for video games published by 2K. This could be a reference to the 2K forums or the MyPlayer accounts linked to NBA 2k, but when I tested some of the Pastebin accounts on both of those respective websites, none of them appeared to exist.
I also searched around for a few dozen of those listed "2K" accounts, many of which were unique identifiers with limited internet presence. Some of those accounts were tied to hacking and botting forums; others were linked to other games, like Minecraft and Runescape. Some on the list are nonexistent addresses like "firstname.lastname@example.org."
What's more, a security researcher named Colin Keigher broke down today's list of accounts and found that they share similarities with other lists of dumped accounts—his conclusion is that this particular Pastebin could be an amalgam of other database leaks, which might explain why none of the tested PSN e-mail addresses are actually linked to accounts.
The Guardian also talked to a security expert who also believes that this is fake. "Looking through the list, there's certainly an awful lot of crossover with data from previous breaches, in particular the Adobe one," Trend Micro vp Rik Ferguson told them. "The random sample cross-referencing I have done certainly show that the majority of data listed here has shown up already in previous breaches with a very few exceptions which seem to appear only in this particular paste."
Though Sony, EA, and 2K have not yet responded to requests for comment—and while it's always a good idea to change your passwords regularly—this "hack" appears to be nothing to worry about.