Rumor: Hackers selling PSN credit card list

Several security analysts have noticed discussions on hacker forums regarding a list of PSN users' credit card numbers for sale, but there is no way to confirm if they really have the database as they claim.

23

Sony recently revealed that credit cards were encrypted in the PlayStation Network data breach, but didn't rule out the possibility that hackers had obtained card information. Now the New York Times reports that hackers are claiming to have a database with 2.2 million PSN users' credit card numbers, and they're offering it up for sale.

Kevin Stevens, a senior threat researcher at Trend Micro, noticed the discussions in various hacker forums, where he says they were offering to sell the list for more than $100,000. Researchers confirmed that the discussions are taking place, but there's no way to confirm if they really have the database.

Stevens also heard from one forum member that the hackers offered to sell the data back to Sony, but didn't receive a response. "To my knowledge, there is no truth to the report that Sony was offered the opportunity to purchase the list," said Sony corporate communications director Patrick Seybold, who also reiterated that the data was encrypted.

"Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers," said iSec Partners consultant Mathew Solnik. He also points out that the hackers on forums knew details about the servers, which could indicate direct knowledge.

Finally, the NYT notes that the San Diego office of the FBI is helping Sony in the investigation of the incident, but declined to comment.

Editor-In-Chief
From The Chatty
  • reply
    April 29, 2011 7:15 AM

    Steve Watts posted a new article, Rumor: Hackers selling PSN credit card list.

    Several security analysts have noticed discussions on hacker forums regarding a list of PSN users' credit card numbers for sale, but there is no way to confirm if they really have the database as they claim.

    • reply
      April 29, 2011 7:24 AM

      There it goes!

    • reply
      April 29, 2011 7:29 AM

      It's so difficult to discern the truth in situations like this. It could just be hackers claiming to have the PSN CC data in order to scam other hackers out of a few bucks.

      One way to confirm would be to actually buy the database, but this opens a potential legal can of worms for the buyer.

    • reply
      April 29, 2011 7:29 AM

      I think I'm ditching my main gmail account. I turned on my ps3 this morning and saw that was the log in name. I don't care so much about the cc info, because you can cancel your shit and get new ones.. but now if they know your log on to shit and start plugging it into sites, who the hell knows what real damage could be done.

      • reply
        April 29, 2011 7:43 AM

        Activate the two factor auth on your gmail account and you should be fine: http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

      • reply
        April 29, 2011 8:07 AM

        [deleted]

        • reply
          April 29, 2011 8:39 AM

          the first part of my email address nukemforever@ (it's not that) is/was my general user name on other sites. I don't remember which of the normal password rotations I used on my PSN, but if my email name, password and security key are all on some list in hacker land, I need to change all this data.

          Sure I could change my password on my email and other sites (which I have done), but I'm not sure how many sites I've used my user name on over the course of the past 11 years. fucking sucks but it was time for a nick change

          • reply
            April 29, 2011 8:40 AM

            why do you care if you used that login name and maybe even the same pass on some bumfuck forum 11 years ago? if the site was important you'd remember you had a login there

            • reply
              April 29, 2011 8:50 AM

              because when sky-net turns on in a few years and tracks my user name using hacker logs, and it logs in as me on penislicking.com and starts posting pictures wait what

    • reply
      April 29, 2011 7:44 AM

      Dont worry, your CC details were encrypted with the power of CELL. It can handle 30quadrillion ROT 13 actions a second!

      • reply
        April 29, 2011 8:16 AM

        That may be a bit to subtle for the room. :)

        • reply
          April 29, 2011 8:18 AM

          ROT13 is hardly that obscure.

          • reply
            April 29, 2011 8:28 AM

            WTF Conan, why you gotta be jumping in here and shitting all over me?

            • reply
              April 29, 2011 8:32 AM

              nevermind, Axeman made it all worthwhile there.

          • reply
            April 29, 2011 8:29 AM

            Holy shit! i never played Rise Of Triad 12!

            • reply
              April 29, 2011 8:37 AM

              Man, now I'm wishing I really did have 12 ROTTs to play through.

    • reply
      April 29, 2011 7:47 AM

      PCI Compliance is such a joke. If anyone has ever read that document (1000+ pages) you will see that is near impossible for any company to comply 100% much less guarantee that they will never, ever get hacked. There is NO such thing as a perfectly protected system in the digital age so I don't really get the frustration people have. If you didn't take the steps (however tedious they might be) to protect yourself as best you can then you really have no one to blame but yourself.

    • reply
      April 29, 2011 8:05 AM

      Those guys are gonna get so damn hosed.

    • reply
      April 29, 2011 8:10 AM

      I still wonder if it was an inside job. Sony's laid off a lot of people lately.

      • reply
        April 29, 2011 8:42 AM

        The discussion about moving the data center is concerning -- it sounds like the current systems could have been in an office with easy physical access.

        From the different posts, it sounds like the PSN firmwares weren't the problem, but it did help expose the issue.

        • reply
          April 29, 2011 5:48 PM

          Physical security is a key component of PCI compliance. Most large businesses have these kinds of physical security controls in place; it would be scary to find out if Sony didn't, for some reason.

    • reply
      April 29, 2011 8:22 AM

      "Mr. Solnik said researchers believe that the hackers gained access to Sony’s database by hacking the PS3 console and from there infiltrating the company’s servers."

      So this is what Sony reaps for killing off otherOS. OR, this is what happens when people like GeoHot take matters into their own hands.

      • reply
        April 29, 2011 8:24 AM

        Do we not realize how asinine it is that this information would be stored on any sort of external facing network?

      • reply
        April 29, 2011 8:31 AM

        Dude, Sony made all sorts of security mistakes. Yes, there were hackers involved, but Sony basically left everyones data in a house with alarm system stickers on the windows, but no alarm system. Or door locks, or even walls.

      • reply
        April 29, 2011 8:35 AM

        Are people seriously so lacking in self control that they are saying Sony is directly responsible for hackers being cunts?

        • reply
          April 29, 2011 8:37 AM

          No one is saying that. But you also don't go into a biker bar and call everyone fags and expect to walk out of there without your ass kicked.

          • reply
            April 29, 2011 8:38 AM

            It sounds more like someone scratched someone's bike, the bikers then threw a molotov at said person's place, the police got involved and arrested the biker, and the bikers came back and trashed the town.

          • reply
            April 29, 2011 10:27 AM

            You just have to put on Tequila and dance on the bar.

        • reply
          April 29, 2011 8:38 AM

          Sony is directly responsible for not properly securing their data.

      • reply
        April 29, 2011 5:54 PM

        Clients do not demand and receive access. They have no say. Why they were allowed to do so in this case is the point of ridicule. You never secure a service at the client. It's insane to even consider it.

    • reply
      April 29, 2011 8:30 AM

      I hope the FBI kicks 'em in the nuts.

    • reply
      April 29, 2011 8:41 AM

      [deleted]

    • reply
      April 29, 2011 10:21 AM

      If you are really concerned then yes, you can cancel your Credit Card and have them re-issue you a new one. However - now and days even if you obtain a credit card # and information its practically useless. You need to enter the CCV # on the back of the card for most online transactions to complete. Without that number they get nowhere.

      • reply
        April 29, 2011 5:00 PM

        And even if they do get somewhere you get re-imbursed anyway.

      • reply
        April 29, 2011 6:00 PM

        Won't help if they clone your card. Never thought about that did you. Gas, food, anything at a department store. They already know your zip for automated machines used as credit.

    • reply
      April 29, 2011 4:45 PM

      In all likelihood an admitted criminal is using the publicity around the PSN breach to make a quick buck selling a worthless database file. That, or some anon twit is pretending to sell PSN credit cards for the "lulz".

    • reply
      April 29, 2011 6:01 PM

      [deleted]

      • reply
        May 1, 2011 12:05 AM

        It was posted in the New York Times. Is that not a worth source to report on? Shack just decided to add their Rumor tag when they didn't necessarily need to.

        Unless you are trying to talk shit about the New York times?

Hello, Meet Lola