 |
(CNN) -- In addition to usernames, e-mail addresses and passwords, the hacker or hackers who cracked into Sony's PlayStation network also may have nabbed credit card numbers.
Sony says there's no reason to believe credit card numbers of the network's 77 million users have been stolen, but security researchers tell the New York Times' Bits Blog otherwise.
"Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers," Mathew Solnik, a security consultant with iSEC Partners, told the Times' Nick Bilton.
Bilton quotes three security researchers who say they've seen talk about the stolen credit card numbers in dark corners of the Internet.
They say as many as 2.2 million credit card numbers may have been stolen as part of the attack. One researcher says the hackers appear to be trying to sell some of the credit card information for more than $100,000.
CNN has not independently verified these claims.
The Sony PlayStation Network -- which lets users play games with friends in remote locations, purchase games over the Internet and stream movies -- has been down since April 20 following a major infiltration of its security system.
Some PlayStation Network users link their credit cards to the online service so they can quickly purchase games and make other transactions.
Sony says personal data has been stolen, since the database that includes that information was not encrypted. But the company has maintained it has no reason to believe the hackers have access to PlayStation users' credit card numbers, which it says were stored in an encrypted database.
Still, Sony has encouraged people to take precautions:
"While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," the company said in a blog post on Thursday. "If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
Some PlayStation users have been changing their credit card numbers as a precaution.
E-mail addresses and passwords also are valuable to cyber criminals.
If a person uses the same password for the PlayStation Network as their bank account or e-mail address, for example, it may be possible for a hacker to steal someone's identity or compromise their accounts to spread an Internet worm.
Joseph Bonneau, from the University of Cambridge Computer Laboratory, told The Telegraph that a stolen password could be as valuable as a credit card.
"It's hard to say if leaking passwords or credit card details is a bigger deal," he told the British newspaper. "Studies show that up to 50% of passwords are reused elsewhere online, so even if the hackers didn't get the credit cards they might be able to access your online banking service using the data they did manage to steal."
Sony urges PlayStation Network users to change their network passwords and usernames, especially if they carry those identifiers to other parts of the Internet:
"If you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well," the company said in an official blog post. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports."
It's unclear who is behind the attack. Wired's Kevin Poulsen writes that cyber criminals are most likely behind the hack, since there's plenty of money to be made on this user data and because there's no clear prankster motive.
Meanwhile, the Sony PlayStation Network remains down. Sony says it could be back up by Tuesday at the earliest.
