PSN database with 2.2 million credit card details up for sale?

The folks over at the PSX-Scene forums are reporting that over 2.2 million customers' names, addresses, phone numbers and credit/debit card information is up for grabs to the highest bidder, including the crucial three digit CVV2 numbers. According to the forum post, rumors are spreading through underground trading forums and on Twitter that the database is for sale, "a large section of the PSN database containing complete personal details along...are being offer up for sale."

The post explains how the hackers allegedly attempted to sell the details to Sony for an unknown amount but failed to get a reply, so instead they are trying to sell them to anyone with enough money. Kevin Stevens, a Security Researcher, has been following the story and tweeted earlier, "Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date", but added that "it is not a rumor, it was a conversation on a criminal forum."

Neowin has previously reported on the Playstation Network hack and the latest news, if authentic, is bound to be very alarming to millions of customers affected by the security breach. Sony confirmed the attack and the possibility of sensitive information being stolen on a blog post on their website and then urged its users to be aware of any email, telephone and postal scams that may ask users for sensitive information.

Image Source: Panoramio

Report a problem with article
Previous Story

Apple becomes more profitable than Microsoft

Next Story

Three Foxconn employees charged over leaking of iPad 2 design

99 Comments

View more comments

Ryoken said,
If you have access to the decryption keys you can decrypt it.. And depending on what they took, they could have that too..

lol, bit like leaving your keys inside your super secure ignition car. Somebody smashes in and drives away your car. What un-logical brain fart would do that now...

I blame Microsoft for hiring hackers to get PS3 users addresses so they can mail them advertisements for the Xbox.. jk lol

Probably some Xbox user made this rumor up...
They already said that CVV2 info was not stored so I don't believe this for one second...

This is all BS. You never had to enter CCV number. Sony has said the database was encrypted. Nobody knows anything about this except for Sony and whoever perpetrated the crime, yet everybody is an expert on speculating on what happened or is going to happen.

All in all just get your CC reissued. Not that hard and you keep all your statements etc. on the new card. I just hope the hackers get caught for wasting most of our time except those kiddies that just want to play cod all day or whatnot.

this is ridiculous. so trust sony is handling this responsibly *sigh* or get your credits cards reissued and all the nightmares and time that entails.

I doubt that this is a situation where some small band of disorganised hackers obtained this data and is now trying to off load it on forums somewhere. The much more likely scenario is that hackers from organised crime groups gained access and is using the information for identity fraud.

Using biographical data to create fake identities, get loans, passpports etc. is much more valuable than ripping off Joe Blow for his weekly paycheck.

I'll say it again: I think you should call your credit or debit card company and get them to cancel your current number and issue you a new one. I did this and I told them why (about the Sony situation) and they knew about it and were happy to oblige.

Exactly this! I'm not exactly understanding the big deal on this. Yes, Sony should have been more careful with our information, and sure it's a hassle for us now, but you call the bank up, cancel your card (stating this debacle with Sony as the reason) and they'll send you a new one, making your card details that the hackers have meaningless.

Intrinsica said,
Exactly this! I'm not exactly understanding the big deal on this. Yes, Sony should have been more careful with our information, and sure it's a hassle for us now, but you call the bank up, cancel your card (stating this debacle with Sony as the reason) and they'll send you a new one, making your card details that the hackers have meaningless.

even if every one who has a psn account calls there bank and gets a new card, the other info
the crackers have is enough to casue a head ache or too for any one the decide to
use in getting credit in their names.

Why are members on that forum not burred out? They are just talking about it and may/may not have to do anything with it....Kinda unfair.

Well Sony said there was no evidence to suggest credit card number were taken, convenient phrasing indeed since it doesn't really state anything as fact. Either way, we'll know eventually.

The people who may have a real headache waiting are the ones who use the same email/username + password combo on multiple sites or services with access to their cc info. The pw I use for PSN (if they have those, no authentication algorithm I've ever seen stores or sends passwords in plaintext) is different than any other service I use.

I didn't take any chances. I already canceled my debit card and got a new one. What's upsetting is that I can't watch my Hulu Plus on my Playstation. Thank God for Netflix and that it still works even with the authentication errors.

It would be nice if Sony would call me or at least send me an e-mail. Not that I care - one can skim my card at the gas station or steal my details from the hotel statement. That's why all credit cards are insured. I pay zero excess on fraudulent transactions and so far didn't have any hassles with my bank (happened once).

Breach said,
It would be nice if Sony would call me or at least send me an e-mail. Not that I care - one can skim my card at the gas station or steal my details from the hotel statement. That's why all credit cards are insured. I pay zero excess on fraudulent transactions and so far didn't have any hassles with my bank (happened once).

Sony Europe did send out an email which claims to have come from

"PlayStation <news@emails.eu.playstation.com>"


The sending server was sonyplaystn.bounce.ed10.net apperently so looks like they used an external mass mailing provider.


Service Update - Important information for registered users of PlayStation Network and Qriocity services

Valued PlayStation Network/Qriocity Customer:

We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:
1) Temporarily turned off PlayStation Network and Qriocity services;
2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports.

We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at http://www.eu.playstation.com/psnoutage should you have any additional questions.

Sincerely,
Sony Network Entertainment and Sony Computer Entertainment Teams

Sony Network Entertainment Europe Limited (formerly known as PlayStation Network Europe Limited) is a subsidiary of Sony Computer Entertainment Europe Limited the data controller for PlayStation Network/Qriocity personal data


Commenting is disabled on this article.