Sony Clarifies Password Storage Techniques, No Truth To Credit Card List
Posted by Sammy Barker
If the PlayStation Network data breach taught us anything other than to be more vigilant, it taught us the meaning of the acronym FUD
"FUD. Fear, uncertainty and doubt, usually evoked intentionally in order to put a competitor at a disadvantage."
The amount of scare mongering capitalising on Sony's limited communication was rife during the early parts of last week. One story that made its way to mainstream news outlets detailed how hackers had access to over two-million PlayStation Network users' credit cards. The story went on to detail how hackers had tried to sell the information back to Sony.
Communications director Patrick Seybold told PlayStation Blog readers that there is "no truth" to said reports in a security update this evening.
Another popular rumour stated that Sony stored users' passwords in cleartext. Again, misinformation according to Seybold.
While the passwords that were stored were not encrypted, they were transformed using a cryptographic hash function, he said.
There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.
For us, what's been most worrying about this whole situation is how so many outlets have been quick to publish a story with very little fact checking. The credit card list rumour originated from a Twitter account and was later published by major news outlets like The Telegraph and The Guardian. Similarly, the cleartext password rumours were sparked by an IRC conversation between unknown hackers.