As the Sony networks slowly come back online, a security issue that could have led to another break-in has been fixed. The company said the vulnerability was on the page where users had to reset their passwords for Sony's PlayStation Network and Qriocity music service.
The security hole enabled any user with the date of birth and e-mail address of an account holder to reset the password. Birth dates and e-mail addresses of up to a hundred million users were among the unencrypted data that Sony believes may have been stolen in the original break-in.
After the first network breach, the company was criticized by industry observers and some members of Congress for not quickly revealing that users' personal data may have been taken. The initial breach was noticed by Sony on April 19, the PlayStation Network was shut down on April 20, and users were notified of the breach and possible loss of personal information on April 26.
A gaming site, nyleveia.com, first brought the most recent security issue to light in a posting on May 17. It said that "despite the methods currently employed to force a password change when you first reconnect to the PlayStation Network, your accounts remain unsafe."
The site reported that a hack exploiting this weakness was "currently doing the rounds in dark corners" of the Internet. By Thursday, Sony reported it had fixed the problem.
In a video recently posted on the PlayStation Blog, Sony executive Kazuo Hirai noted that, as a new security feature, all customers are required to change their passwords.
Hirai said "aggressive actions" were being taken to address the vulnerabilities that led to the unprecedented network outage. The actions, he said, include advanced security technology, increased levels of encryption, additional firewalls, and early warning systems.