Hacked Playstation Credit Card Info Put Up For Sale

[ritchie58]

Security researchers say hackers claiming to have credit card information stolen from Sony's PlayStation Network last week are trying to sell that information on underground Internet forums, but the veracity of the claims could not be confirmed.

 

Sony warned its more than 70 million customers on Tuesday that their personal information--including customer names, addresses, e-mail addresses, birthdays, network passwords, and user names, as well as online user handles--was obtained illegally by an "unauthorized person." Sony responded to the intrusion, which occurred between April 17 and 19, by temporarily disabling PSN and Qriocity, its subscription music service, and contracting with an outside security firm to investigate the intrusion on its network.

 

"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," a company spokesman wrote Tuesday. Sony said in an FAQ posted today that the credit card data was encrypted and reiterated that it had no evidence the data was stolen.

 

However, Kevin Stevens, a security expert with Trend Micro, said in a tweet today he had seen discussions on online forums in which the purported hackers were offering to sell a database of 2.2 million Sony customer credit card numbers stolen during the PSN attack.

 

"Sony was supposedly offered a chance to buy the DB [database] back but didn't," Stevens said, adding that, "No, I have not seen the DB so I can not verify that it is true."

 

"Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date," he said, referring. The less obvious acronyms refer to credit card holders' first name, last name, credit card number, and credit card security code.

 

Internet security blogger Brian Krebs, who noted witnessing similar activity, posted screenshots of the discussion on his Krebs on Security blog.

 

Neither Stevens nor Krebs said they had seen the actual database, but the information may already be circulating among cybercriminals. Reports began trickling out yesterday from PSN users about recent fraudulent charges on the credit cards they used for the PlayStation service.

 

An employee of GameFly Media tweeted that a colleague's card was used to buy $1,500 worth of goods at a grocery store in Germany. Meanwhile, a reader of gaming site VGN365 said his bank had informed him of a fraudulent $300 debit card withdrawal this weekend. And another person reported on video game forum site Neogaf.com $600 in fraudulent withdrawals.

 

 

 

The breach has already prompted a lawsuit and a letter to Sony from Connecticut Sen. Richard Blumenthal saying he was troubled the company took a week to notify customers of the breach and urging Sony to provide free credit protection services to prevent identity fraud and theft.

 

 

[sweidre]

Hi, here is an article by Tech Republic about Sony Play Station:

"What to do about the PlayStation Network breach"

http://www.techrepublic.com/blog/security/what-to-do-about-the-playstation-network-breach/5467?tag=nl.e036

Cheers,

sweidre

[ritchie58]

Interesting article as usual Sweidre. I do remember when the DRM root-kit debacle emerged. So this isn't the first time Sony has been in hot water. Here is an exert from your link that is worth posting I believe.

 

What to do

If you are a user of the PlayStation Network, there are a few things you should do to protect yourself now and in the future:

• You may want to replace any credit cards whose numbers have been used with PSN.
• You may want to check any other private information used with PSN to see what could be at risk.
• You may want to watch your accounts and credit activity like a hawk for a while.
• You may want to change any passwords related to PSN or SOE at your earliest opportunity, just in case your accounts survive cancellation in a way that can be later exploited, then cancel those accounts.

[ritchie58]

The Associated Press is reporting that millions more accounts may have been compromised than originally reported. This story just continues to get worse! Read on! NEW YORK – Sony Corp. said Monday that hackers may have taken personal information from an additional 24.6 million user accounts after a review of the recent PlayStation Network breach found an intrusion at a division that makes multiplayer online games.

 

The data breach comes on top of the 77 million PlayStation accounts it has already said were jeopardized by a malicious intrusion.

 

The latest incident occurred April 16 and 17 — earlier than the PlayStation break-in, which occurred from April 17 to 19, Sony said.

 

About 23,400 financial records from an outdated 2007 database involving people outside the U.S. may have been stolen in the newly discovered breach, including 10,700 direct debit records of customers in Austria, Germany, the Netherlands and Spain, it said.

 

The outdated information contained credit card numbers, debit card numbers and expiration dates, but not the 3-digit security code on the back of credit cards. The direct debit records included bank account numbers, customer names, account names and customer addresses.

 

Company spokeswoman Taina Rodriguez said Sony had no evidence the information taken from Sony Online Entertainment, or SOE, was used illicitly for financial gain.

 

"We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1 we concluded that SOE account information may have been stolen and we are notifying you as soon as possible," Sony said in a message to customers.

 

Sony said that it shut service Monday morning to Sony Online Entertainment games, which are available on personal computers, Facebook and the PlayStation 3 console. Its most popular games include "EverQuest," "Free Realms" and "DC Universe Online."

 

The company said it will grant players 30 days of additional time on their subscriptions, along with one day for each day the system is down. It is also creating a "make good" plan for its multiplayer online games.

 

On Sunday, Sony executives bowed in apology and said they would beef up security measures after an earlier breach caused it to shut down its PlayStation network on April 20. The company is working with the FBI and other authorities to investigate what it called "a criminal cyber attack" on Sony's data center in San Diego, Calif.

 

The company said it would offer "welcome back" freebies such as complimentary downloads and 30 days of free service to PlayStation customers around the world to show remorse and appreciation.

 

PlayStation spokesman Patrick Seybold, in a blog post Monday, denied a report that said a group tried to sell millions of credit card numbers back to Sony.

 

He also said that while user passwords had not been encrypted, they were transformed using a simpler function called a hash that did not leave them exposed as clear text.