PlayStation Network Down for 23 Days: 77 Million Accounts Exposed
Sony's PlayStation Network was breached via an "Application Security vulnerability" — Sony's own description — exposing names, addresses, dates of birth, and potentially payment card details of 77 million accounts.
Background
The PlayStation Network had grown rapidly to 77 million registered accounts by April 2011. Sony's security investment had not kept pace with the network's growth. The company ran an outdated version of Apache with known vulnerabilities and stored personal data without sufficient encryption.
The Attack
Attackers — believed to be affiliated with Anonymous, though never conclusively proven — exploited known vulnerabilities in Sony's web application layer. They moved through the network undetected, ultimately exfiltrating the entire PSN user database including names, email addresses, birthdays, physical addresses, and PSN login credentials stored in an inadequately hashed format. Payment card data may also have been accessed, though Sony was ambiguous about this.
Response
Sony shut down PSN entirely on April 20, 2011. The network remained offline for 23 days — an eternity for a gaming service. Sony set up a dedicated website to inform users, offered free identity theft protection services, and apologised with a "Welcome Back" package of free games. The company rebuilt its network security infrastructure.
Outcome
The 23-day outage cost Sony an estimated $171 million. Sony faced lawsuits in multiple countries and was fined £250,000 by the UK Information Commissioner's Office for failing to keep software up to date. The incident remains one of the most disruptive consumer-facing breaches in gaming history.
Key Takeaways
- Keeping internet-facing software patched is a fundamental, non-negotiable obligation
- Hashing passwords with strong algorithms (bcrypt, Argon2) limits exposure when databases are stolen
- Gaming and entertainment platforms hold sensitive personal data and must be treated as financial services
- Having an incident response plan that can operate publicly at scale is essential for consumer brands