Sensitive personal details of tens of millions of internet users have been stolen by hackers in one of the biggest ever cases of data theft, it has emerged.
Fraudsters have obtained data on millions of online video gamers after targeting Sony’s PlayStation Network.
The electronics giant is contacting around 70 million customers warning that details including their names, addresses, dates of birth, passwords and security questions have been stolen.
Sony also admitted that the hackers may have gained access to people’s credit card details.
The network provides online video gaming services and allows streaming of films and music via the internet.
It requires members to submit credit card and personal details to subscribe.
PlayStation Network members have also endured a week without online gaming access after the Japanese giant pulled the plug on the service last Wednesday and has spent the past week investigating the breach.
Experts described the security breach as a “nightmare” scenario, which could leave millions of PlayStation users open to identity and credit card fraud.
The theft is particularly worrying due to the variety of information stolen and because many people use the same passwords for all their online services such as email, internet shopping and online bank accounts.
It also comes as an embarrassment to Sony and could deal a severe blow if customers lose confidence in its security systems.
In a statement to be emailed to millions of PlayStation Network users worldwide, Sony warned: “We believe that an unauthorised person has obtained the following information that you provided: name, address, country, email address, birth date, PlayStation Network/Qriocity password and login.
“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.
“If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
“For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information.
“To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.”
Sony took down the network and Qriocity last Wednesday after suffering what it described as “an external intrusion on our system” but has until now remained tight-lipped about speculation that customers’ financial details had been stolen.
Online security experts last night said the revelation could deal a “devastating blow” to Sony and questioned the company’s monitoring of threats to its systems.
Graham Cluley, senior technology consultant at Sophos, a security and data protection service, said: “This certainly ranks as one of the biggest data losses ever to affect individuals.
“This is not just a nightmare for Sony, but also worrying news for the millions of people who use the network. Once again users will have their confidence shaken by a major company losing their personal information.”
Robert Siciliano, McAfee consultant and identity theft expert, added: “Many people use the same usernames and passwords for several accounts.
“If the bad guys have that information, they can use it to access social networking and banking accounts, and that’s where the problems begin.
“They can log into your email and change the password and go through looking for other accounts. There’s no end to what they can do.There’s enough data that the bad guys can turn that into cash with relative ease.”
Though it is by no means uncommon for user data to be stolen by hackers, this is one of the largest and most high profile online data thefts to come to light.
Earlier this month, US firm Epsilon, which manages data for companies including Barclaycard, Citigroup and hotel chain Marriott, confirmed that millions of email addresses had been stolen in an attack on its servers. However, the data stolen in this case was limited only to email addresses.
In March, online retailer Play.com warned that customer emails and some personal information had been stolen, though the company stressed that credit card details were safe. In January, cosmetics firm Lush admitted that credit card details belonging to some of its customers had been stolen in the run-up to Christmas. The company advised customers to contact their bank.
The company is likely to face questions about when it knew that customer data had been stolen and why it waited so long before issuing a statement.