As you guys may or may not know, the PlayStation Network has been down for a week thanks to some asshat hackers. The outage itself is annoying, but that’s not the real news: the hackers got users’ personal data. There is some more coverage here and here if you’re curious, but I’m here to talk about me. Of course.
First, a quick aside to set the stage: I love my PS3. The build quality, the noise (or lack thereof), the graphics power, the Blu-Ray player; it kicks my Xbox 360’s ass in every way but the online experience (PSN is no match for Xbox Live, but it’s free) and maybe the controllers (mostly a wash). I default to the PS3 version of multi-console releases unless reviews say the PS3 version sucks or I want to play with my brother (who only has a 360).
Back to the hack. Because I follow gaming press, I’ve known since Monday that my bank card data (and address, and full name, and…) could be in the wrong hands. I’ve already contacted my banks and am in the process of setting up fraud alerts with credit reporting agencies. This is a big fat pain in my ass that I don’t need right now, but shit happens.
I was just a bit angry and disappointed at the beginning of the week. Now my blood is boiling.
This morning I finally got an official email from Sony warning me about the hack and providing a ton of information about what I should do to protect myself. Essentially it reiterated everything I already knew from other sources.
News has an incentive to provide detailed information as fast as possible and corporations have incentives (including inertia) to delay releasing detailed information, but if Sony gave half a shit about protecting their customers they would have treated this exactly like what it was: a race between their customers and the hackers to secure or compromise accounts.
Instead, they waited a full week after they shut PSN down to notify me. A week.
Here was my reply:
I have 2 questions:
1) Why was my password (to say nothing of my personally-identifiable information) stored in plain text?
Seriously, has Sony not heard of using per-user salts and hashing? How about just hashing? Encrypting the “passwords” table? No? Fan-fucking-tastic.
2) Why did you wait a week to inform me?
If I HAD used the same password in multiple places, the hackers would have had 9-11 days to find those accounts and compromise them, wouldn’t they? At this point, if they wanted to screw me I’d already be screwed. Clearly Sony knew something was amiss when you shut the PSN down a WEEK ago. Why did it take 7 more days to think “Hey, Andy might be vulnerable. We should really tell him!”?
Let me be clear: I know hacks happen. I know fraud happens.
I’m furious because your incompetence and tight-lipped handling of the fiasco put me at additional risk and for longer than needed. You’ve burned through all my trust and goodwill.
For what it’s worth, I’ve spent my last dollar on the PSN, and quite possibly with Sony. I know I’m a drop in the bucket, but multiply me by a few million pissed-off fanboys you guys just lost…
Microsoft and Nintendo have their issues, but at least they haven’t (yet) left 75 million users with their asses hanging out for a week.
I think that about sums it up.