Sony said that it was sending email notifications to affected account holders and requiring users to reset their passwords.
"Credit card numbers associated with these accounts are not at risk as a result of these unauthorized attempts. Only a small fraction of these 93,000 accounts showed additional activity prior to being locked. We are continuing to investigate the extent of unauthorized activity on any of these accounts”, Sony said in a statement on Wednesday.
Sony’s newly appointed chief information security officer, Philip Reitinger, said in a blog that the unauthorized attempts "appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources.” Reitinger was hired away from the US Department of Homeland Security by Sony after the massive data breaches earlier this year in which personal data on up to 100 million users were stolen from the same Sony services.
Graham Cluley of Sophos observed that "it appears that the hackers gained access to the Sony accounts by working through a large database of stolen usernames and passwords – believed to have been sourced from somewhere else. That suggests that the accounts which were broken into were using a non-unique password." In other words, users were using the same passwords on mutliple sites.
Mike Smart, EMEA product and solutions director at SafeNet, told Infosecurity that this latest Sony breach “shows that the traditional approach of encrypting only critical financial data and business information no longer works. The recent rise in data security breaches targeting social data calls for a more comprehensive approach to information security which is centred around protecting data itself wherever it resides and at every stage of its lifecycle – from encrypting data when it is created, accessed, shared, stored, and moved.”