Sections

Rumour: PSN member credit card numbers on sale in hacker underground

Friday, 29th April 2011 07:11 GMT By Brenna Hillier

The cyber-security community and its shadowy cousin are abuzz today with rumours that hackers are offering to sell a database of 2.2 million credit card details stolen from Sony’s network.

The rumours seem to have originated with Trend Micro’s Kevin Stevens, who tweeted today that the hackers responsible for breaching the PSN’s security are willing to part with a chunk of the information so obtained – for a price.

He later added that Sony had been offered the chance to buy back the information, but declined.

Sony has denied this. Speaking to the New York Times, SCEA comms boss Patrick Seybold said:

”To my knowledge there is no truth to the report that Sony was offered an opportunity to purchase the list.”

Seybold referred again to a Sony statement on the matter of credit card data encryption on PSN, made yesterday: “The entire credit card table was encrypted and we have no evidence that credit card data was taken.”

Sony has said that it could not rule out the possibility that hackers might have obtained credit card data.

Mathew Solnik, a security consultant with iSEC Partners who frequents hacker forums to track new hacks and vulnerabilities that could affect his clients, told the NYT that it can’t be ruled out that credit card data was stolen by hackers last week.

“Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers,” he said.

The database is said to include full user details for each card – first and surname; address; phone number; email address; email password; date of birth; and credit card number, expiry state and security code.

The inclusion of email password and card security code, neither of which are collected by Sony, lends some weight to the suggestion that this is a load of old bollocks.

In support, PSX-Scene has a chat log and several screenshots supposedly taken from hacker and credit card fraud communities.

The site echoed the rumour that Sony had been offered the chance to buy back the database.

The first attack
Meanwhile, an Australian man is claiming to be the first documented victim of PSN-gate related credit fraud.

ABC News reports the unfortunate PSN member found several small transactions on his statement following the security breach, in a pattern familiar to those who’ve been caught by scammers. Soon after, over AUD $2000 in charges hit the account.

If the activity is related to PSN-gate, the target of the purported fraud was lucky enough to score a stupid scammer, who purchased flights within Australia and hotel stays. There is little chance the beneficiary of these purchases will escape detection.

Thanks, Kotaku, GamePolitics.

Latest

66 Comments

  1. dtyk

    I bet hackers are spreading these infos personally.

    #1 4 years ago
  2. wiozan

    Oooh please, everyone can make up bullshit like this.

    #2 4 years ago
  3. themadjock

    How about stop reporting this damaging, scare mongering bollox

    #3 4 years ago
  4. neon6

    They have no dignity.

    #4 4 years ago
  5. Robo_1

    “… and security code.”

    Chalk this one up as shit from the bull then, as from what I’ve read, Sony don’t even store this information on their server.

    #5 4 years ago
  6. Patrick Garratt

    We had a discussion about whether or not to run this earlier, and I decided we have to do it if it’s out there. We’ll try to get a comment from Sony later (there’s a bank holiday in the UK today, so we’ll need to speak to Sony US) and if they can offer us something we’ll update it.

    #6 4 years ago
  7. dtyk

    While I think it’s good that you’re getting all the news out there, these kind of information are really not healthy for the squeamish. There are a lot of people that’s overreacting to this instead of taking the necessary courses of action and calming down.

    #7 4 years ago
  8. gamestx

    Always remember, as long as your devices are connected to the Internet, either PS3, X360, Wii, Computer, IPhone or whatever it’s never safe from filthy hackers. Please stop making this sounds like its a big deal or the heist of the century or something.

    #8 4 years ago
  9. DrDamn

    @6
    I think this one crosses the line Pat, posting game info based on rumour and speculation is very different to giving this sort of story visibility without good evidence. Its not simple that Sony say they don’t collect the CVV data, they are explicitly not allowed to keep it for any legth of time.

    #9 4 years ago
  10. Patrick Garratt

    @7,8 – We have to tread a fine line, to be honest. We can’t ignore a story that says 2.2 million PSN-related credit numbers are being offered for sale, but I do agree with you that there’s been a lot of panicking this week. The fact is, though, that the hack was a very big deal – it was reported by basically every major news outlet – and we can’t pretend otherwise. I’m aware this story may simply not be true, so we’re just going to report it and move on, and hopefully Sony will reassure people with a comment later.

    #10 4 years ago
  11. Patrick Garratt

    @9 – We have to report what’s there and check with Sony. It’s just a judgement call I have to make, to be honest. Brenna was in two minds about doing it at all for the reasons you point out there.

    #11 4 years ago
  12. Iliad

    I’m with you Pat – it would be irresponsible not to keep people in the loop, whether it’s based on rumour or fact. Plus, it may force Sony to reveal a little more if this kind of information is being reported.

    #12 4 years ago
  13. Christopher Jack

    It’s just journalism, but the thing I love about this site, is if they’re not entirely sure about something, they put the word ‘Rumour’ before the headline.

    #13 4 years ago
  14. JonFE

    I just got a call from my CC issuing bank. They told me that my card has been canceled and a new one will be issued, due to Sony Online’s security breach.

    Now, I don’t know whether that’s solid confirmation that CC info have been leaked or just VISA’s preemptive strike to the recent events, but it sure does not paint Sony in a good light.

    #14 4 years ago
  15. Redh3lix

    If Sony had been offered the chance to buy back the information, I’m positive they would have. It’s much easier to track money transactions to the perp than track a silent hacker. There is simply NO WAY the perp(s) would approach Sony in such a way when there’s more than a few thousand crooks out there who would jump and the chance to obtain such info. This story wreaks of “kiddie’s having a chat” than factual evidence. That, plus Sony don’t secure CSV numbers etc.

    I support VG247 in posting this article, although I think VG247 should try and commit to posting the more plausible stories than this…

    #15 4 years ago
  16. Teabag

    MAN, Sony is in deep shit. One bad move with Geohot and they have screwed themselves over.

    The wrath of the hacker. Oh boy.

    #16 4 years ago
  17. Kerplunk

    The first word of the article headline states “Rumour” and a paragraph or two in it says:

    The inclusion of email password and card security code, neither of which are collected by Sony, lends some weight to the suggestion that this is a load of old bollocks.

    I’d say that VG247 have acted entirely responsibly in posting an update but making concerned readers aware of the possibility that the details they’re echoing may not be entirely authentic.

    Politics aside, if this event encourages people to be more responsible for their own security then good.

    I’ve been quite surprised at the angry finger pointing by people who express security concerns and then, a moment later, refuse to check their card transactions, speak to their bank or update their passwords. “I’ll wait and see what happens” seems to be more like “I’ll wait and see if something bad happens and then decide who else I can blame it on”.

    This event should be a wake-up call for everyone about their data and their security.

    #17 4 years ago
  18. Fin

    @14

    Right, so you got a call from your card issuer, cancelling your card.
    Sooo how did they know you’d used your card on PSN? Or are they just cancelling all cards?

    #18 4 years ago
  19. Kerplunk

    @15 I think this statement about Sony being offered to buy back information is all nonsense.

    Its there to suggest that the thieves are noble and that if Sony refused to pay what amounts to a ransom then they can be further demonised as showing disregard for the welfare of their customers.

    Additionally, buying back the information would not mean that any stolen information is taken off the black market. So, logically, there would be no benefit in buying back this information.

    #19 4 years ago
  20. DrDamn

    I think it’s a general journalist point though isn’t it? You don’t just report whatever you find you try to corroborate and check the facts to back up the story from multiple independent sources. That’s basic journalism. This entire story could be based on a single post to a forum, repeated and exacerbated. I realise this sort of information is difficult to check in a world where everyone and their mum repeat and retweet anything they want as fact, but that’s all the more reason to corroborate.

    As an aside if Sony have solid evidence of card numbers being compromised then they have an obligation to info the correct authorities who will organise cancelling and reissuing or watching of the cards affected.

    @15
    Sony wouldn’t buy back the info as there is no point, what do they gain? The “promise” the people won’t sell it on to other people? This is data not a physical object.

    #20 4 years ago
  21. DrDamn

    @18
    As my above post, if Sony have more direct evidence that card numbers proper are out there then there are processes in place to inform and take action. It’s their responsibility to do this, not doing so or giving misinformation about this would be far more damaging to them financially than the original breach.

    #21 4 years ago
  22. strikkebil

    “He later added that Sony had been offered the chance to buy back the information, but declined.”

    ah the rage. sony def dont give a shit about this.

    #22 4 years ago
  23. Nozz

    @22 What would stop the hacker(s) from keeping their copy and continue selling it to shady sources as well. It would be totally pointless for them to buy the details back.

    If this is even true of course…

    #23 4 years ago
  24. dtyk

    @22

    First, I doubt that this story is true. Second, I don’t think Sony has anything to gain from “buying them back”. This is not a legal trade. It’s black market bargaining. They can keep 1000 backups for all they care and Sony can’t do anything about it.

    I HONESTLY think that Sony is handling this pretty well. We don’t know the damages in numbers yet, but they are definitely not freaking out about it.

    #24 4 years ago
  25. Gekidami

    The problem with posting news like this is that a lot of sites that pick it up wont make it clear its just a rumour, wont point out parts that make it seem unlikely (which Brenna has done here), and if its confirmed to be bogus, wont do a follow up.

    In the end all of the rumours flying about in the media would have done just as much, if not more harm to Sony then the attack itself and caused needless fear amongst the users.

    I’m not saying VG247 is at fault here, Brenna’s done of good job of making this seem far from official. But other sites will instantly splash the news about as it if was fact.

    As for the news itself, the fact that it says Sony had the chance to “buy back” the data makes it very dodgy, seems like another attempt by hackers to demonize Sony to me “Look! They could have brought it all back, BUT DIDNT!! They dont care!!!”. Not very likely seeing as its digital data. *Of course some people will chose to ignore that and play straight into the hackers game.

    *See comment 22 for reference.

    #25 4 years ago
  26. dtyk

    lawl Gekidami +1

    #26 4 years ago
  27. JonFE

    @Fin:

    I’m pretty sure that VISA have records of all their credit card transactions, it cannot be too hard for them to get a list of credit cards which have been used in PSN and notify their holders via the banks.

    Also, I expect Sony to be much more upfront, direct and cautious regarding the spread of the issue with VISA, MasterCard, American Express etc. than the average Joe, as the consequences of losing their trust will be severe.

    #27 4 years ago
  28. Yoshi

    Okay, throughout all of this I’ve never panicked really but this just pushes me over the edge, if true. :S:S

    #28 4 years ago
  29. DrDamn

    @27
    Your final point is an important one. This is an obligation Sony have, if they are not absolutely clear about this to the right organisations the financial cost will be huge.

    #29 4 years ago
  30. Redh3lix

    @19 @20

    As I stated, there’s no way anyone would approach Sony in the first place to sell such info, although if they WOULD have (regardless of whether the information would have been passed on already) I believe Sony would have purchased it (under guidance from the investigative team), thus been able to track and apprehend at least one individual and maybe secure the source of the hack. They (Sony) would essentially have nothing to loose buy purchasing such info effectively, only the ability to apprehend a single perp which could possibly lead to the source.

    Again, It’s very, very doubtful that anybody would approach Sony in the first place which further highlights the stupidity of this story.

    #30 4 years ago
  31. monu-mental

    I really don’t think a website of your capacity should run this. Even N4G deleted the fake trash. Here’s more proof it’s rubbish:

    http://www.gamersmint.com/sony-denies-being-offered-to-buy-back-stolen-psn-database

    I love you guys, but this is a trash piece. Sorry.

    #31 4 years ago
  32. Telepathic.Geometry

    We’re all wearing big-boy pants on this forum I think, so I think it’s safe for you to post anything and everything that pops up Pat. One of the things that I especially like about this site is that the gaming news tends to come quickly and without being dressed up. Keep up the good work and don’t worry about any delicate flowers…

    #32 4 years ago
  33. monu-mental

    Ha, no one’s saying we’re kids here, and no one’s saying we do not support VG247, but if we truly love this site, we MUST speak our minds concerning certain things; this piece, I think, should have been left alone, to the no names….

    Per Gamersmint:

    Senior Director of Corporate Communications and Social Media at Sony, Patrick Seybold has declined that Sony were offered a choice to buy back database which the hackers stole from them after hacking into the Playstation Network.

    Speaking with NYTimes, the man confirmed that there is no truth to this statement:

    “To my knowledge there is no truth to the report that Sony was offered an opportunity to purchase the list.”

    Mr. Seybold also pointed to a blog post Sony published Thursday that said:

    “The entire credit card table was encrypted and we have no evidence that credit card data was taken.”

    As it turns out, the hackers very well might be plotting to fool someone into buying the database in order to earn some serious money. We hope this is the case but still would advise readers to check with their banks and ensure that there’s been no suspicious activities carried out with their credit cards.

    #33 4 years ago
  34. DrDamn

    @32
    Its the impact of a website like this running a story like this which is the point, not whether the readership is in big boy pants or “delicate flowers”. It gives the story some legitimacy there is no other evidence to suggest it has. It’s also not about dressing up, as I said above it’s basic journalism to check facts.

    #34 4 years ago
  35. loveaya

    I’ve read this rumour before VG247. In my opinion, this news is totally negative which will make all the readers worry about their credit cards.

    Yes, this may be just a warning. But it’s also a bomb.

    I can’t wait someone else say: bullshit, I’ve lost 2000000 dollars because of SONY’s mistake.

    You know, the Internet is magical.

    Besides, the editor (Garnette Lee) of Shacknews said his friend has lost 2000 dollars because someone has used his credit card in a German restaurant. Rediculous~

    So what’s your opinion?

    #35 4 years ago
  36. BraveArse

    I’m with DrD on this one, it’s nothing to do with big boy pants here, it’s everything to do with the journalistic credibility that Pat’s managed to establish with this site. Journalistic credibility is a rarity in games writing IMO, this place, RPS and *a portion* of the EG crew are just about the only places I regard as having it. A number of stories over the last while have made me rethink that opinion though. Most notably this one and the one earlier with the daft Defcon 1 image ( given all the crap happening in the world right now, “Defcon 1″ lacks, at best, a modicum of proportion ).

    For one thing, it’s not been unknown in the past for people like Trend Micro to stoke the flames when there’s been an IT security concern. They stand to gain from headlines like this, and most journos should at least suspect this. VG247 has the tools and skills to be taken far more seriously. But you can’t escape some responsibility for stoking the flames yourselves with articles like this, marked “rumour” or not.

    #36 4 years ago
  37. reask

    They can have mine.
    I got it cancelled yesterday and am been issued a new one.

    #37 4 years ago
  38. Telepathic.Geometry

    I disagree. The Nintendo Wii 2 thing started out as just a rumour too. In hindsight, if it turns out to be bullshit ya might regret it, but I’d rather that than to be in the dark until something’s nailed down tight. But as usual, it’s opinions and arseholes init. :) /general hugs

    #38 4 years ago
  39. Gekidami

    ^ The “Wii 2″ rumours were coming from several reliable sources (journos), and didnt feature any odd info that made the rumour seem unlikely.

    The same cant be said for this.

    #39 4 years ago
  40. mickey2002

    My card was being used. Thank god I’ve got a good bank with good fraud team they blocked they card almost right away and contacted me, only like 12 pounds got past and already refunded me that. Only way this happened is due to Sony. So YES CC details have been leaked.

    #40 4 years ago
  41. spiderLAW

    @6 Pat

    Honestly, i too am getting tired of these posts related to the PSNgate, but i say to go ahead and post whatever you want.
    People here seem to not understand that if they dont like what the article has to say, simply dont read it…

    Squeemish? Dont read it. Tired of it? Dont read it. Think its trash? dont read it…..what im really trying to say is, grow up.

    #41 4 years ago
  42. PeterW

    I am a journalist looking to interview anyone who has lost their details as a result of the Playstation hack – if anyone wants to contact me I am on dg44@dial.pipex.com

    Best wishes

    Pete

    #42 4 years ago
  43. loveaya

    @40 So someone has used only 12 pounds from your count? For what?

    #43 4 years ago
  44. freedoms_stain

    @40, really, the only way? You have a dedicated PSN credit card then I take it? You couldn’t have been defrauded via another avenue and have decided to blindly blame the PSN breach “cus it’s there”?

    I think that’s a real danger here actually, people may have leaked their details another way and have just decided that it was via the PSN breach when in fact they’re getting fucked from another angle entirely.

    #44 4 years ago
  45. Telepathic.Geometry

    I’ll grant you that the Wii thing had lots of sources so it was probably legit, but even if Pat hears it from some drunken eejit down the bar, if Pat thinks that there’s some chance that there might be something to it, then I want to hear it. If it turns out to be bullshit, guess what, I take 0 hit-points of damage.

    #45 4 years ago
  46. MegaGeek1

    VG247 is officially the Nation Enquirer of vg related news.

    Also, am I the only one who couldn’t give a rats ass if some hacker shmuck buys my credit card info? Talk about money well wasted. Whats the worst they could do? Inconvenience me for an hour and a half while I call VISA and report the fraud? I get a new card, VISA figures the rest out, and I couldn’t care less what happens after that.

    #46 4 years ago
  47. loveaya

    @44

    I agree with you.

    A few days ago,i saw some people said that their CC has been used by another person. The same detail, the same word: due to SONY.

    But in fact, no one showed the proof. Just only the words~

    I’m tired here, goodbye.

    I trust always VG247, except this news, thanks for all you did.

    #47 4 years ago
  48. jeremycafe

    While I am more of an MS fan over Sony, I have to feel like this site is personally out to make Sony look bad. This article is just completely bulls and everyone knows it. The only “good” this article does it further hurt Sony’s image. Too much support for the hackers is being shown in the news here.

    Guess its back to Kotaku

    #48 4 years ago
  49. reask

    Well PSN went down last wed week.
    Sony said nothing till sat.
    It was Mon before the detail info was outed.
    So I say Pat is right to run this,
    Heaven help us if we are to depend on Sony.

    #49 4 years ago
  50. monu-mental

    http://uk.gamespot.com/news/6310570.html

    Credits cards are safe. No need for all this drama, fear-pumping, Sony-downing drama.

    #50 4 years ago
  51. Telepathic.Geometry

    Oi, monu-mental, gimme the Friend’s Ring will ya?

    #51 4 years ago
  52. Patrick Garratt

    I’ve updated it. SCEA’s denied it was offered any list of credit card data for sale.

    #52 4 years ago
  53. Dr.Ghettoblaster

    All we need are the words “SEX” and “DRUGS” somehow worked into a new PSN hacking article title, and i think we’d have every possible rumor covered…

    #53 4 years ago
  54. Christopher Jack

    Sony’s released a second part to their Q&A
    http://blog.us.playstation.com/2011/04/28/qa-2-for-playstation-network-and-qriocity-services/

    Q: Will there be a goodwill gesture for the time we haven’t been able to utilize PSN/Qriocity?
    A: We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online.

    I like the sound of that :D

    #54 4 years ago
  55. DrDamn

    @50
    So you think proper statistical analysis and monitoring of the full set of cards is the way to detect this? Rubbish, statistically meaningless possibly related posts to internet forums are much more reliable! ;)

    #55 4 years ago
  56. spiderLAW

    @54
    me too.
    I want goodies please!

    #56 4 years ago
  57. KrazyKraut

    RUMOR: ppl will get wet on this year rain season.

    #57 4 years ago
  58. spiderLAW

    RUMOR: KrazyKraut will try and be funny earlier on today!

    jk….i love ya man lol

    #58 4 years ago
  59. ManuOtaku

    #54 If they do that they are will be sending a strong message that they care about their costumers, which is nice in my book, i will be happy for those who suffered the most and myself included of course.

    Having said that, sony an this is a recommendation of my part, learn from your mistakes, i grant your actions post the hack were good, but prior the hack were lacking to said the least, with the exception of course of the lack of information with a strong delay throw in the way, this will be one leason to learn please act as soon as things happens and then give the information to your users, another one as soon as someone gives the information about how to get into your device, please take inmediate actions in order to make it stronger and / or to rebuild it again, please don wait for the hack to happen.

    Lastly keep our personal information (passwords, dates, etc) heavily secure, at least even heavier than this time, with this i think you should be a better company to your users (myself included) which i think will be a win win scenario to everyone.

    Ah and thanks in advance for the compensations. apprecieatted

    #59 4 years ago
  60. mickey2002

    That card is pretty new and is only on PSN in the world of the internet. It’s not been out of the home and so no stolen and my wallet is highly RFID protected even if it was taken also. So yeah unless someone is a mind reader or something. Or a leak at the bank ? LOL so the clearest reasoning is it’s down to the recent issues with PSN.

    The £12 pounds is only one that made it, the others for higher amounts all got blocked. The £12 was from some weird company name, bank couldn’t tell was the money was actually used for. I find it funny how Sony are hinting at the fact that CC details will be safe (not offically stating that however)… yet it took them ages to tell us our data was leaked. Hopefully ICO has something to do with that (which like it will be the case)

    #60 4 years ago
  61. DrDamn

    @mickey2002
    When you say its only been used for PSN internet wise, has it just been used for PSN stuff full stop or have you used it on other stuff? Also you mention its not been out of the house but its in your wallet?

    Not doubting you, just ascertaining facts as a story like yours is more worrying than this article.

    #61 4 years ago
  62. mickey2002

    @DrDamn Well PSN only netwise but not used it for anything in person yet either it’s only 4 weeks old. And I ment the card hasn’t left the house (in my desk safe) my wallet has, was just stating even if it had, not like anything could of copyed it as wallets RFID protected.

    So ONLY options are. PSN, Leak at the Bank ? and my money is on PSN abit too much of a coincidence right ? :/ either way it just sucks awaiting a new card with the bank holidays etc. Not used that one for few weeks and now I need one typical lol.

    #62 4 years ago
  63. DrDamn

    If its new then perhaps the related story first in the list is more applicable? I.e. It was intercepted when you registered it with the account recently.

    #63 4 years ago
  64. DrDamn

    Actually scratch that just read the article, unless you’ve been playing with custom firmware on your PS3.

    #64 4 years ago
  65. kreck

    they stole credit card info and have been using it they tried using mine and tried using 300 dollars but fortunately my credit card company say that as suspicious and told me

    #65 4 years ago
  66. Christopher Jack

    If people wish to direct their anger somewhere, it should be towards those who have compromised the integrity of the gaming service – not the providers themselves. After all, without them, we never would have had such great services to miss in the first place.

    #66 4 years ago

Comments are now closed on this article.