Ever since the PSN went down, and Sony admitted that the cause was an “external intrusion,” the biggest fear for PS3 owners was the issue of compromised information. If someone had breached the PSN, then their personal info and passwords were at risk – god forbid their credit card information was stolen.
In official blog posts, Sony eventually told users that their personal info had in fact been compromised. This included names, email addresses, preferences and passwords. They said and still maintain that there is no hard evidence that credit card information was stolen. Even in saying this, they have still warned users that this worst case scenario remains a possibility.
Bad, bad news for Ps3 owners and Sony. The New York Times is reporting that security researchers suspect that the hackers who infiltrated the PSN have in fact stolen credit card information.
The Times talked to Kevin Stevens, a researcher at security firm Trend Micro. He says that he has seen posts on several hacker forums that as many as 2.2 million credit card numbers, expiration dates and possibly CVV2 numbers have been obtained. Stevens says that the hackers were trying to sell the information for upwards of $100,000.
Bizarrely enough, Stevens also says that hackers had even offered to sell the numbers back to Sony, but had received no response. Stevens was not the only security researcher to report these findings, as several others confirmed the reports.
Sony has been pretty tight-lipped about the entire ordeal, and their lack of transparency has infuriated many PS3 loyalists. Sony recently said that the “entire credit card table was encrypted” but apparently that doesn’t matter. From the Times:
“Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers,” said Mathew Solnik, a security consultant with iSEC Partners who frequents hacker forums to track new hacks and vulnerabilities that could affect his clients. Mr. Solnik said that people on the forums had details about the servers used by Sony, which may indicate that they had direct knowledge of the attack.
This situation just keeps getting worse.
There have been no new updates to the official PlayStation blog since this information came out. The latest blog post has some new additions to the FAQ about the outage which discuss goodwill gestures to users when it’s all said and done. With lawsuits already popping up, simple goodwill gestures might not be enough to satisfy.