Security researchers say hackers claiming to have credit card information stolen from Sony's PlayStation Network last week are trying to sell that information on underground Internet forums, but the veracity of the claims could not be confirmed.
Sony warned its more than 70 million customers on Tuesday that their personal information--including customer names, addresses, e-mail addresses, birthdays, network passwords, and user names, as well as online user handles--was obtained illegally by an "unauthorized person." Sony responded to the intrusion, which occurred between April 17 and 19, by temporarily disabling PSN and Qriocity, its subscription music service, and contracting with an outside security firm to investigate the intrusion on its network.
"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," a company spokesman wrote Tuesday. Sony said in an FAQ posted today that the credit card data was encrypted and reiterated that it had no evidence the data was stolen.
However, Kevin Stevens, a security expert with Trend Micro, said in a tweet today he had seen discussions on online forums in which the purported hackers were offering to sell a database of 2.2 million Sony customer credit card numbers stolen during the PSN attack.
"Sony was supposedly offered a chance to buy the DB [database] back but didn't," Stevens said, adding that, "No, I have not seen the DB so I can not verify that it is true."
"Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date," he said, referring. The less obvious acronyms refer to credit card holders' first name, last name, credit card number, and credit card security code.
Internet security blogger Brian Krebs, who noted witnessing similar activity, posted screenshots of the discussion on his Krebs on Security blog.
Neither Stevens nor Krebs said they had seen the actual database, but the information may already be circulating among cybercriminals. Reports began trickling out yesterday from PSN users about recent fraudulent charges on the credit cards they used for the PlayStation service.
An employee of GameFly Media tweeted that a colleague's card was used to buy $1,500 worth of goods at a grocery store in Germany. Meanwhile, a reader of gaming site VGN365 said his bank had informed him of a fraudulent $300 debit card withdrawal this weekend. And another person reported on video game forum site Neogaf.com $600 in fraudulent withdrawals.
The breach has already prompted a lawsuit and a letter to Sony from Connecticut Sen. Richard Blumenthal saying he was troubled the company took a week to notify customers of the breach and urging Sony to provide free credit protection services to prevent identity fraud and theft.
Update April 29 at 1:47 p.m. PT The source of the initial tip, Trend Micro's Kevin Stevens, downplayed the significance of the finding today, posting a message on Twitter saying: "This #PSNHack is turning into a bunch of FUD, it really is. I posted up what I saw to warn people, not to incite the masses to create FUD."