Five years ago, PlayStation Network was hacked and the personal details of 77m users accessed.

It was the largest security breach of its kind to ever hit console gamers, and an event with huge repercussions for PlayStation - both in the short term for its users, left for weeks without access to online services, and longer term as Sony sought to win back customer trust.

3

It began with Anonymous, the umbrella-term hacktivist group which had been bombarding Sony's servers with distributed denial of service (DDOS) attacks. Anonymous had brought PSN to its knees several times in April 2011 in the run-up to the actual privacy breach.

Anonymous was upset with Sony's "wholly unforgivable" legal actions against PS3 jailbreaker George "Geohot" Hotz. In Anonymous' eyes, the information Geohot had discovered - how to run pirated games, how to run homebrew software - was now in the public domain, and if anything, Hotz had done Sony a favour by exposing the company's own loophole.

The group eventually halted its attacks, accepting they were only hurting Sony's end users: the gamers. But, a couple of weeks later, on 19th April 2011, PSN was hit again. This time, it was different.

Two days passed, then Sony itself quietly pulled PSN offline.

"As you are no doubt aware, the current emergency outage is continuing this afternoon and all Sony Online Network services remain unavailable," the platform holder informed PSN users on 21st April.

"Our support teams are investigating the cause of the problem, including the possibility of targeted behaviour by an outside party. Our engineers are continuing to work to restore and maintain the services, and we appreciate our customers' continued support."

It was the first day of the PSN outage. The network would not come online again for another three weeks, until 14th May.

As the first day wore on, Sony warned customers it might take up to 48 hours before they could log in again.

The following day, Sony confessed - there had been an "external intrusion" and it was now conducting a "thorough investigation to verify the smooth and secure operation of our network services going forward".

But, so far, there had been no warning anyone's personal details were at risk. That news would not be confirmed by Sony for another four days.

A week into the outage, and Sony had remained silent on the exact cause. Speculation centred on Sony pulling the plug on PSN to thwart further attempts at its systems. But the updates from Sony itself remained positive, if slightly evasive. Sony engineers were "working around the clock" to restore services, PSN users were repeatedly reassured.

It was the evening of 26th April when Sony finally broke the bad news: the personal details of millions had been compromised.

"Although we are still investigating the details of this incident, we believe that an unauthorised person has obtained the following information that you provided," Sony admitted.

This meant users' names, home addresses, email addresses, birth dates, PSN passwords and usernames.

PSN profile data, purchase history and billing address and security question answers were also at risk.

Worse, Sony could "not rule out the possibility" that credit card data had also been stolen.

"If you have provided your credit card data through PlayStation Network, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may have been obtained," Sony concluded. Oops.

When word broke that personal details had indeed been stolen, gamers were understandably incensed. Not only had Sony's systems failed, the company had taken a full week to make PSN users aware.

For a taste of how we were feeling at the time, Rich wrote this piece on the security side of things, and how hackers had posted chat logs talking of Sony's outdated security. He deemed the hack "one of the biggest security breaches of the internet age".

Within hours, an embattled Sony was forced to explain why it had waited so long to tell its customers the extent of the damage.

"There's a difference in timing between when we identified there was an intrusion and when we learned of consumers' data being compromised," Sony's director of communications Patrick Seybold said.

"We learned there was an intrusion 19th April and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.

"It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon."

PSN users rushed to change their passwords elsewhere - but could not alter their details on PSN itself as the service remained offline.

Within 24 hours, the first class action lawsuit had been filed. Meanwhile, analysts were quick to point out the huge task Sony had ahead of it to regain user trust.

In the days that followed, PSN stayed offline. Anonymous was implicated in the attack, the UK government weighed in and promised an investigation from the Information Commissioner's Office, and Sony Corporation boss Sir Howard Stringer posted an open letter of apology.

"Dear Friends, I know this has been a frustrating time for all of you," Stringer wrote. "To date, there is no confirmed evidence any credit card or personal information has been misused, and we continue to monitor the situation closely."

On 1st May, Sony hosted a press conference in Tokyo to outline the new security measures it was implementing. More apologies were offered, and a "Welcome Back" programme for PSN customers was outlined for when the service resumed.

PS3 and PSP owners would be offered two free games per system, along with 30 days free PlayStation Plus subscription. Sony also said it would offer subscribers a year of free identity theft protection.

Many were pleased at the announcements, although some PS3 owners complained they had all the titles on offer already.

PS3 owners had a choice of Dead Nation, Infamous, LittleBigPlanet, Ratchet & Clank: Quest for Booty and Wipeout HD + Fury. PSP owners got to choose two games from LittleBigPlanet PSP, Modnation Racers, Pursuit Force and Killzone Liberation.

New PSN security measures promised included higher levels of data protection and encryption, additional firewalls plus new early warning software.

"This criminal act against our network had a significant impact not only on our consumers, but our entire industry," Sony exec Kazuo Hirai said at the time. "We have learned lessons along the way about the valued relationship with our consumers."

But questions remained around how hackers had managed to access the information in the first place. Evidence uncovered in the days following pointed to Sony's systems previously being "obselete" and "long-outdated" - charges which Sony subsequently flatly denied. However, a later report suggested Sony had let go security staff prior to the attack and ignored warnings that a privacy breach was possible.

By mid-month, Sony was beginning to restore PSN functionality in phases, region by region, service by service. PSN returned to life in the UK on 14th May.

Gamers weren't the only ones affected. Sony was forced to apologise to developers whose game launches were disrupted by the attack, or whose online services were rendered unavailable. Capcom exec Christian Svensson was one of few to speak publicly, memorably complaining he was "frustrated and upset" the publisher was down "hundreds of thousands, if not millions, of dollars".

Others were less fazed. Speaking to Eurogamer, Gravity Crash developer and Just Add Water boss Stewart Gilray called the furore over the hack "a lot of wind and piss".

Inevitably, when PSN did return, there were several days of teething problems as all users were made to request a password reset via email - which then crashed Sony's email server.

Sony initially estimated the hack would cost it at least Ł105m, although the company later suggested the impact had not been as financially damaging as it once feared.

PSN bounced back, adding another three million users in the four months following the attack. Jack Tretton, then Sony US boss, tackled the issue head on at the start of Sony's E3 2011 press conference, apologising again for the "anxiety caused".

"You are the lifeblood of the company," Tretton said. "Without you there is no PlayStation. I want to apologise personally. It's you that causes us to be humbled and amazed by the support you continue to give."

Sony at one point faced 55 class action lawsuits and eventually agreed to offer up further compensation for those affected. Details of this took until last year to be finalised, by which time PS3 had long been replaced, and the success of PS4 had made the whole saga a distant memory.

But Sony is still upgrading its systems - just last week, Sony announced it would finally introduce two-step verification, three years after Microsoft did the same for Xbox Live. There have been no widespread security breaches since, although console networks remain vulnerable to concerted DDOS attacks - as seen when both PSN and Xbox Live failed over Christmas 2014.

Watching the PSN hack unravel from the sidelines and seeing Sony pick up the pieces, I can't remember another event to affect so many gamers simultaneously and - at the time, at least - cause so many to worry for their own details' safety. For PlayStation owners, developers and Sony itself, here's hoping there's never another situation quite like it.

Sometimes we include links to online retail stores. If you click on one and make a purchase we may receive a small commission. For more information, go here.

Jump to comments (41)

About the author

Tom Phillips

Tom Phillips

News Editor

Tom is Eurogamer's news editor. He writes lots of news, some of the puns and all the stealth Destiny articles.

More articles by Tom Phillips

Comments (41)

Hide low-scoring comments
Order
Threading

Related

It's over: PlayStation Home has closed

Time of death: 8.02am BST.

PlayStation Home is shutting down next year

Will cease letting EU players download content in December.

PlayStation Home is getting an update

UPDATE: New Trophies revealed.

PlayStation Home updates to cease in Japan, UK unaffected

New content still headed to Europe and North America.