The stolen credit card details from the Playstation hack is reportedly up for sale on hacker forums
Credit card data that was stolen during the Playstation data breach is reportedly up for sale on hacker forums.
Sony was forced to close down both its Playstation Network and the Qriocity music service after a damaging attack on 20 April that saw hackers steal the details of 77 million user records.
However the consumer giant did not endear itself to its customers and critics because it only revealed the reason for the shutdown a week after the event took place.
Credit Card Uncertainty
Sony said that the hackers had stolen personal information (names, street addresses, email addresses), but to make matters worse it was not sure whether the hackers actually managed to lift user’s credit card details.
“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility,” Patrick Seybold, Sony’s senior director of corporate communications and social media, wrote on the company blog.
Yet despite Sony’s claims, security researchers are saying that hackers are bragging on forum discussions that they have credit card numbers in their possession.
According to the New York Times, the hackers are threatening to sell the information for up to $100,000 (£60,000).
This is according to Kevin Stevens, senior threat researcher at Trend Micro. He tweeted that the hackers had a database of 2.2 million credit cards, which contains full names, addresses, PlayStation Network usernames and passwords, and credit card numbers and expiry dates.
And if things were not bad enough for Sony, the hackers also claimed to have the three-digit security codes from the back of the cards.
“I never saw the database so I can’t verify if it is real,” Stevens was quoted as saying in the Telegraph.
That newspaper said that forum postings also claimed that the thieves had tried to sell the data back to Sony but did not receive a response.
Sony for its part has switched off its Playstation Network and the Qriocity music service and has called in the assistance of the FBI. The services are not expected to return back online until at least Wednesday as Sony is moving them to a more secure data centre.
“Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers,” Mathew Solnik, a security consultant with iSEC Partners was quoted by the New York Times.
Solnik apparently frequents hacker forums to track new hacks and vulnerabilities that could affect his clients. He said that people on the forums had details about the servers used by Sony, which may indicate that they had direct knowledge of the attack.
Even if the reports of credit card data for sale proves false, the data breach is extremely serious and Sony is likely to face lawsuits.
Meanwhile in the UK, the Information Commissioner’s Office (ICO) has revealed it is investigating the Sony breach with a view to taking action on behalf of the company’s three million registered UK users.