Sony has created a public service announcement after their latest breach. They encourage users to choose a strong password.
We want to take this opportunity to remind our consumers about the increasingly common threat of fraudulent activity online, as well as the importance of having a strong password and having a username/password combination that is not associated with other online services or sites. We encourage you to choose unique, hard-to-guess passwords and always look for unusual activity in your account.
That’s because they are watching an increase in unauthorized access attempts to user accounts
We want to let you know that we have detected attempts on Sony Entertainment Network, PlayStation Network and Sony Online Entertainment (“Networksâ€) services to test a massive set of sign-in IDs and passwords against our network database.
[…]
Less than one tenth of one percent (0.1%) of our PSN, SEN and SOE audience may have been affected. There were approximately 93,000 accounts globally (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts’ valid sign-in IDs and passwords, and we have temporarily locked these accounts. Only a small fraction of these 93,000 accounts showed additional activity prior to being locked.
At this point you might, like me, be thinking that someone is using a database of user accounts that was stolen in an earlier breach from Sony. Users who logged in after the last breach had to change their passwords. The accounts that had no “additional activity” must have been the ones that were enabled again but never used again — dormant with an old password.
But that’s not what Sony says in their announcement. They seem to suggest that passwords are changed so infrequently a bad password match from an attacker proves that the user IDs were not stolen from Sony.
These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources. In this case, given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks