How the PlayStation Network was Hacked

After 7 days of speculation-ridden downtime, Sony has finally announced that the PlayStation Network (PSN) outage was due to a massive hack that exposed the names, birthdays, email addresses, passwords, security questions, and maybe credit card details, of all PSN users.

At first, the most likely explanation for the PSN's downtime was a continuation of Anonymous's DDoS reprisal for Sony's persecution of PlayStation 3 jailbreaker, George Hotz (geohot). Then, as the outage extended past a few days, and Sony announced that it was "rebuilding" its network due to an "external intrusion," it became apparent that this was much more than a simple, brute force denial of service attack. Today's announcement by Sony confirms that the PlayStation Network's security mechanisms were fully circumvented, and that at least one of its most sensitive databases was breached and accessed sometime between April 17 and 19.

How was the PlayStation Network hacked, though? Ironically, for security reasons, and because Sony is historically very tight-lipped on such matters, we will probably never know the exact attack vector -- but we can certainly make some well-educated guesses about how the PlayStation Network was hacked. First, given its proximity to Anonymous's recent attacks, it's likely that the database breach is somehow related. It's safe to assume that Anonymous could have learned about a weakness in the PSN's security mechanisms, and then passed that data on to another group of hackers -- and from there, if the hole was big enough, the attackers might have been able to simply step right in with an SQL injection attack.