Sony PlayStation Network breach

On 26 April 2011, Sony confirmed that intruders had breached its PlayStation Network (PSN) and Qriocity streaming service, exposing personal data on roughly 77 million accounts. The company had already taken the services offline days earlier, beginning a 23-day global outage that left tens of millions of gamers locked out and turned the incident into one of the most visible consumer data breaches of its era.

What happened

The intrusion occurred between roughly 17 and 19 April 2011. On 20 April, after detecting unauthorized activity, Sony abruptly took PSN and Qriocity offline — initially offering little explanation, which fueled days of confusion and criticism. It was not until 26 April that Sony confirmed the scope: attackers had obtained account data including names, physical and email addresses, birthdates, account login IDs and passwords, and potentially purchase history and security questions.

Sony said it could not rule out that credit-card data was also taken; press reporting at the time put the number of cards potentially involved at around 10 million, though Sony stated the card table was encrypted. Days later, the company disclosed a separate breach of Sony Online Entertainment, adding roughly 24.6 million more accounts to the total.

The outage

The breach was as much an availability event as a data-confidentiality one. With PSN down, online multiplayer, the PlayStation Store, and Qriocity streaming were all unavailable for about 23 days — at the time the longest PSN outage in its history. Sony rebuilt and re-secured its network infrastructure before bringing services back in phases starting 14 May 2011, and launched a "Welcome Back" program offering free games and content to win back trust.

Impact

Personal data on approximately 77 million PSN/Qriocity accounts was compromised, with about 24.6 million more affected via Sony Online Entertainment.
The network was offline for roughly 23 days (about 552 hours), disrupting tens of millions of users.
Sony estimated breach-related costs at around $171 million.
In 2014, Sony agreed to a class-action settlement valued at up to $15 million in games, virtual currency, and identity-theft reimbursement. UK regulators separately fined Sony for the breach.

Why it matters

The PSN breach was a watershed for consumer-facing platform security and for breach-disclosure expectations. Sony was widely criticized for the delay and vagueness of its early communications — a cautionary example studied in incident-response training ever since. It also demonstrated that an online entertainment platform holds the same sensitive identity and payment data as a bank, and must defend it accordingly. The event hardened public and regulatory expectations around timely, candid breach notification and helped catalyze the broader push for stronger data-protection enforcement in the years that followed.

Timeline

April 17, 2011

Intruders penetrate the PlayStation Network and Qriocity services; the compromise occurs between roughly 17 and 19 April.

April 20, 2011

Sony takes the PlayStation Network and Qriocity offline, beginning what becomes a 23-day global outage.

April 26, 2011

Sony publicly confirms that personal data on approximately 77 million accounts was compromised, including names, addresses, birthdates, and login credentials.

May 1, 2011

Sony executives hold a press conference in Tokyo apologizing for the breach and announcing a 'Welcome Back' program of free content.

May 2, 2011

Sony discloses an additional breach of Sony Online Entertainment, affecting roughly 24.6 million more accounts.

May 14, 2011

Sony begins phased restoration of PlayStation Network services after about 23 days offline.

July 21, 2014

Sony agrees to a class-action settlement valued at up to $15 million in games, currency, and identity-theft reimbursement.

Sources

en.wikipedia.orghttps://en.wikipedia.org/wiki/2011_PlayStation_Network_outage

techcrunch.comhttps://techcrunch.com/2011/04/27/sony-shares-more-details-on-playstation-network-breach/

eweek.comhttps://www.eweek.com/security/sony-playstation-network-data-breach-compromises-77-million-user-accounts/

bankinfosecurity.comhttps://www.bankinfosecurity.com/sony-a-6960

aljazeera.comhttps://www.aljazeera.com/economy/2011/4/27/sony-criticised-over-handling-of-hacking-case

Related incidents

Data breachResolvedOctober 6, 2021

Twitch source-code and creator-payout leak

A server misconfiguration exposed Twitch's entire Git repository to an anonymous attacker, who leaked 125 GB of data — the full source code with commit history, internal tools, and three years of creator payout figures — as a torrent on 4chan.

Victim: Twitch (Amazon)

Data breachResolvedMay 31, 2016

MySpace credentials breach

Credentials for roughly 360 million pre-2013 MySpace accounts surfaced for sale on the dark web in 2016. The passwords were stored as unsalted SHA-1 hashes, making one of the largest credential dumps ever disclosed trivially crackable.

Victim: MySpace (Time Inc.)
Records: 360.0M

Data breachRansom paidMay 1, 2026

Instructure Canvas LMS ShinyHunters breach (2026)

ShinyHunters exploited Canvas's Free-For-Teacher account programme to exfiltrate 3.65 TB of data spanning approximately 275 million users across nearly 9,000 schools — names, email addresses, student IDs, and some private messages between students and teachers. Instructure reportedly paid the ransom and the data was destroyed.

Victim: Instructure (Canvas LMS)
Loss: $10.0M
Records: 275.0M

Data breachResolvedAugust 16, 2024

National Public Data SSN breach

A breach of data broker National Public Data (Jerico Pictures) exposed a database of roughly 2.9 billion records containing names, Social Security numbers, dates of birth, and addresses scraped from public and non-public sources, triggering a wave of lawsuits and the company's bankruptcy.

Victim: National Public Data (Jerico Pictures, Inc.)
Records: 2.90B