Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

'Major PSN Hack' May Be A Fake [UPDATES]

Illustration for article titled Major PSN Hack May Be A Fake [UPDATES]

Don't freak out: despite widespread reports you might have seen today, the alleged "major security breach" affecting the PlayStation Network and other services could very well be a fake.

Advertisement

UPDATE (9:18pm): Sony sent over a statement tonight:

"We have investigated the claims that our network was breached and have found no evidence that there was any intrusion into our network. Unfortunately, Internet fraud including phishing and password matching are realities that consumers and online networks face on a regular basis. We take these reports very seriously and will continue to monitor our network closely."

Advertisement

Original story follows:

This morning, a number of websites wrote about the purported breach thanks to a CNET report that claimed an anonymous group had "released a log of customer logins" across PSN, Origin, and Windows Live, among other online services. "PSN hacked again!" proclaimed one website.

There are a few red flags in the original report, though. For one, CNET says something called 2K Game Studios has been hacked. There's no such thing as 2K Game Studios. More bizarrely, the report's only source is a Pastebin posted on Twitter by the alleged hackers, who have also taken responsibility for a number of other hacking and DDOS attacks over the past few months. There is no evidence that anything in this Pastebin is real.

The Pastebin in question is a list of several thousand accounts and passwords that purportedly belong to PSN, Windows Live, and "2K" users. It certainly appears upon first glance to be a varied list of accounts and passwords... but are any of them legit?

Advertisement

This morning, I went through a few dozen random PSN accounts in the password to see which ones actually worked. Just trying to log into the accounts wouldn't have been the best test—as if this was real, it's likely some of them would have changed their passwords by now—so instead I went to the Change Your Password page on Sony's website to try and verify if those accounts were ever used in the first place.

Every single account tested gave me the message "Not a valid e-mail address. Please try again," indicating that those accounts weren't signed up for the PlayStation Network at all.

Advertisement
Illustration for article titled Major PSN Hack May Be A Fake [UPDATES]

Similar tests on the Pastebin list of Windows Live accounts reveal that the listed e-mails are indeed linked to real addresses, though none of the listed passwords worked for me.

Advertisement

UPDATE (11/24): Microsoft says they weren't hacked either:

We immediately investigated reports regarding some Microsoft Accounts including Windows Live and Hotmail and can confirm that no Microsoft site or service was compromised. Microsoft takes account security and privacy seriously. Should we identify any specific account at risk for any reason, we will take action to protect the account. To help keep your information safe, we encourage you to set strong passwords, change passwords regularly and avoid using the same password for multiple accounts. For more information on password security, visit our website atwww.microsoft.com/security.

Advertisement

As for the 2K accounts? Though the hacking group claimed to have "800,000 from 2K," it's not really clear what they're referring to. There is no universal account for video games published by 2K. This could be a reference to the 2K forums or the MyPlayer accounts linked to NBA 2k, but when I tested some of the Pastebin accounts on both of those respective websites, none of them appeared to exist.

I also searched around for a few dozen of those listed "2K" accounts, many of which were unique identifiers with limited internet presence. Some of those accounts were tied to hacking and botting forums; others were linked to other games, like Minecraft and Runescape. Some on the list are nonexistent addresses like "sample@email.tst."

Advertisement

What's more, a security researcher named Colin Keigher broke down today's list of accounts and found that they share similarities with other lists of dumped accounts—his conclusion is that this particular Pastebin could be an amalgam of other database leaks, which might explain why none of the tested PSN e-mail addresses are actually linked to accounts.

The Guardian also talked to a security expert who also believes that this is fake. "Looking through the list, there's certainly an awful lot of crossover with data from previous breaches, in particular the Adobe one," Trend Micro vp Rik Ferguson told them. "The random sample cross-referencing I have done certainly show that the majority of data listed here has shown up already in previous breaches with a very few exceptions which seem to appear only in this particular paste."

Advertisement

Though Sony, EA, and 2K have not yet responded to requests for comment—and while it's always a good idea to change your passwords regularly—this "hack" appears to be nothing to worry about.

Share This Story

Get our newsletter

DISCUSSION

whitsongordon
Whitson Gordon

We at Lifehacker were one of the sites that posted about it this morning, before we realized it might be a fake. Thanks for putting this together—we'll be having a more public conversation next week about how we plan to avoid reporting on "fake" leaks like this in the future (there have been a few lately).

At any rate, good work, Kotaku. Hopefully this is indeed as fake as it looks!