It’s only been a year now, but the lingering sting of when the PlayStation Network was taken offline by hackers and the potential involvement of Anonymous in the initial hack still aches like a sore tendon. As a result, when rumors arise that the hactivist collective has been on the prowl against and 0wnzored the same target they did last year ears perk up. However, there’s no need for alarm, no need to change passwords (unless your smart and paranoid). Keep calm and carry on for real this time.
Last week, the news hit the wire that Anonymous had claimed to have hacked Sony’s PSN again. This claim barely made a blip on my radar because there was little reason to believe it was true (after all, last time the entire PSN went away for an entire month) and I would have noticed that. Instead, it was some mouthpiece of the enigmatic and nebulous collective claiming to have pwned the system and exfiltrated some 10 million user accounts.
In the hacking news community we’ve gotten used to big numbers of credentials leaked, especially from large companies. After all, Blizzard got hacked this month and they have 9 million current subscribers (and even more past subscribers.) In a show of good faith that a hack happened, the collective cell posted 3,000 of the credentials into a pastebin post on August 14. At the time, curious folks wondered: Legit? Maybe.
Tweets went out crowing about the victory but the Internet (and Sony) seemed oddly calm for the calamity that was claimed.
It didn’t take long for Sony themselves to get on the bluebird and emit some tweets of their own counterclaiming the hack and denouncing it as fraudulent.
Even before Sony made it to the end of their own branch to tweet their denouncement, other users had already started pouring over the logs released by the Anonymous cell and discovered something not so kosher about them. We’d seen these credentials before—a year before. They were portions of the original leak that had taken down the PSN, repackaged, rehashed, and used for some cheap publicity.
This particular tactic has been seen before in claimed leaks; in fact, Twitter had an apparently fake leak of 55,000 passwords aimed at them in May. After cryptohounds went over that leak and cleaned out most of the duplicates, they discovered that many of them seemed to be algorithmically generated (potentially spambots) and others also found that many of them matched a previous leak from LulzSec.
Hacking researchers and cybersecurity organizations around the globe collect and keep previous leaks that have been released into the wild and many of them consult with large organizations such as Twitter and Sony. When a leak is published on Pastebin they can examine their own data logs from these past public password spills to determine if we’re just looking at something gussied up to look like the real thing.
Of course, no doubt they also audit their systems to make certain nothing fishy had happened before hand and they have a vested interest in telling customers, “No we were not hacked, there’s no evidence anything was taken or any breach happened,” but being able to point out that a leak is fake certainly goes a long way to lending credibility to their own perception of security.
Maybe next time people.