PlayStation hack: credit card data 'for sale'
Hackers have claimed they are trying to sell PlayStation owners’ credit card details, stolen in a huge security breach of Sony’s online gaming network.
The unverified claims were relayed by security researchers who have been trying to find out more about the breach in underground forums.
After it disclosed the breach on Tuesday, Sony said that the unencrypted non-financial details of 77 million PlayStation Network and Qriocity users were stolen, but that it had no evidence that a separate encrypted data table of credit card information was accessed.
However, security researcher Kevin Stevens said a database of 2.2 million PlayStation Network credit cards was being offered for sale on hacker forums.
He said criminals were seeking more than $100,000 for the information, which included full names, addresses, PlayStation Network usernames and passwords, and credit card numbers and expiry dates. Crucially, the sellers also claimed to have the three-digit security codes from the back of the cards.
“I never saw the database so I can't verify if it is real,” he added.
Forum postings also claimed that the thieves had tried to sell the data back to Sony but did not receive a response.
The firm switched off its systems and called in the FBI when it realised it had been hacked on 20 April. The services remain offline and are not expected to return until at least Wednesday as Sony is moving them to a more secure data centre.
Mathew Solnik, a security consultant with at iSEC Partners, told the New York Times: “Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers.”
He added that researchers believe the hackers gained access by first hacking a PlayStation console, which they used to infiltrate Sony’s servers.
Even without credit card data, the theft is already considered among the biggest in history and Sony is likely to face a barrage of lawsuits over its security procedures.