Print 54 comment(s) - last by Moishe.. on May 2 at 4:31 PM

2.2 million users' cards are reportedly in the database

Millions of customers were shocked to hear Sony Computer Entertainment America LLC (U.S.) and Sony Computer Entertainment Europe (EU) had lost their personal information -- name, username, password, address, birth date, and password recovery question -- and, more importantly, that it potentially lost their credit and debit cards as well.

Sony wrote:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

It essentially then went on to tell people that they were on their own and that it was customers' own responsibility to protect themselves from credit fraud.

Now it appears the worse case scenario is indeed playing out -- according to recent forum posts, a database with "a large section of the PSN database containing complete personal details along (with credit card numbers)...are being offer (sic) up for sale."

Security researcher Kevin Stevens has witnessed malicious hackers discussing the supposed database.  He posted to Twitter, "Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date," adding, "it is not a rumor, it was a conversation on a criminal forum."

If someone gains access to this database, it would be easy to issue hundreds of millions of fraudulent charges.  Such charges can put a black mark on your credit score.

Famed hardware jailbreaker George "GeoHot" Hotz chimed in on the reports, writing, "I sure am glad I don’t have a PSN account about now."

In his blog he adds:

And to anyone who thinks I was involved in any way with this, I'm not crazy, and would prefer to not have the FBI knocking on my door. Running homebrew and exploring security on your devices is cool, hacking into someone elses server and stealing databases of user info is not cool. You make the hacking community look bad, even if it is aimed at douches like Sony.


...the fault lies with the (Sony) executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.

GeoHot, a self-admitted one-time victim of identity theft, isn't a huge fan of Sony.  He recently settled with the electronics giant in a lawsuit over his jailbreak of the PS3.  Reportedly, GeoHot essentially scored a big win with the settlement, though precise details haven't been revealed.

The attacks came soon after the settlement.  While few suspected GeoHot, some do suspect that members of the loosely organized hacker group Anonymous -- a group which supported GeoHot during the Sony legal battle (without his endorsement) -- might have been involved.

Regardless, this is bad news for Sony and worse news for its customers.  If you have a credit or debit card that you know is filed with service, you might want to talk to your bank about changing your number as soon as possible.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By CZroe on 4/29/2011 9:02:03 AM , Rating: 4
I read the same thing but didn't think it was repeatable because Sony was pretty specific when they said that they didn't store CVV/CVV2 (kinda the whole point of CVV).It sounds like someone just wanted to fake it to get money from Sony (blackmail) or others (selling older compromised accounts). Of course, it's possible that Sony has been compromised for years with CVVs getting intercepted at first use or that they were lying about not storing them.

By AstroCreep on 4/29/2011 9:11:43 AM , Rating: 4
I'm thinking you're correct about the attackers simply using this as blackmail or perhaps just a boasting and don't really have it.

Sony is sticking with the "There is no evidence that the credit card database was compromised". Furthermore, they are claiming it was encrypted.

I know that "No evidence" doesn't mean that it wasn't compromised, and that encryption can be beaten, but I think I'll believe it when someone can get a hold of this stolen database and can confirm that it is legit.

By JasonMick on 4/29/2011 9:23:06 AM , Rating: 5
I'm thinking you're correct about the attackers simply using this as blackmail or perhaps just a boasting and don't really have it.

The possibility of blackmail is very real, but Sony as much as admitted it may have lost the CC numbers, so I would still consider changing my card number just to be on the safe side. It could save you a great deal of trouble down the road for minimal effort @ present...

I know that "No evidence" doesn't mean that it wasn't compromised, and that encryption can be beaten, but I think I'll believe it when someone can get a hold of this stolen database and can confirm that it is legit.

Yep. As some pointed out, Sony's comments indicate that it used hashing to encrypt its records, but gave no indication that it was applying a salt to its hash. Without such a salt it should be well within the reach of savvy hackers to reverse the encryption.

The hackers who stole this likely have access to several unencrypted string-sets from their accounts/their friends' accounts. This would assist them in reversing the hash, if they can locate their records in the database, from what I understand...


At the end of the day who knows if this "sale" is legit or if anyone will buy it. But this is a HUGE black mark for Sony as it represents one of the most grievous violations of customers trust to date.

By MeesterNid on 4/29/11, Rating: 0
By MozeeToby on 4/29/2011 12:36:49 PM , Rating: 3
I gave an example last time this came up, but what primes when multiplied together and modded by 2^32 (Modded, if anyone doesn't know, means divide by and keep the remainder. 13 modded by 10 = 3) primes produce 1738643815? You can't just go up the list of prime numbers and divide, because you're missing the most significant digits. You have to try every possible combination until you find one that works.

Yes, yes, you can make a rainbow table; if you have the storage space you only need to do the calculations once. Even if we allow only for the first 100 primes, that still produces 9 * 10^157 rows for your DB, good luck with that.

Even if you find an answer, which isn't going to be easy, you have no guarantee that the answer you found was actually my password because the hash is non-unique. So long as everyone salts their hashes with a different salt (doesn't even have to be regularly randomized), the password that they find is useless for accessing other sites, even if the user uses that password everywhere.

By karielash on 4/29/2011 7:42:59 PM , Rating: 1

You don't have a clue.

By BigDH01 on 4/29/2011 9:54:08 AM , Rating: 2
Yep. As some pointed out, Sony's comments indicate that it used hashing to encrypt its records, but gave no indication that it was applying a salt to its hash. Without such a salt it should be well within the reach of savvy hackers to reverse the encryption.

One, CC numbers wouldn't be hashed... it would defeat the purpose. They are encrypted, but not one-way hashed. Hacker would need encryption key and method (probably 3DES). This is not easy to reverse by any means without those items.

Two, hashes are not, by any means, easy to reverse even without using a salt (as long as they are using SHA1 or better). The salt is merely there to force the hacker to look for collisions for each individual record instead of using a rainbow table.

By mcnabney on 4/29/2011 10:06:41 AM , Rating: 3
Credit card numbers are the LEAST of the worries of PSN users. I would be much more concerned if my username, email address, and PASSWORD got out, as should many people. How many other websites and accounts will users select the same email address and the same/similar password? That allows the thieves into other online sellers (like Amazon) and financial accounts (like banks and retirement accounts). Not to mention passwords also used to access systems at their employers. If I had a PSN account, I would be getting new credit card numbers and changing passwords for everywhere I have been online. A huge pain in the ass.

By MrTeal on 4/29/2011 10:30:11 AM , Rating: 5
No one should be be using universal passwords for important accounts. I have a separate PW for my two main email accounts, for my online banking, for paypal, and for eBay. Then there's a couple secondary level passwords for things that are somewhat important but that wouldn't cost me anything if they got hacked. Lastly, I have a couple generic ones for places like DT.

That's the problem with so many sites that really shouldn't require passwords doing so, and many of them requiring convoluted 8 character, mixed upper/lowercase, some special characters, etc. When sites like DT or other random forums require users to use really strong passwords, they just end up using the same password they use for their bank account. As much as they might like to think they are, most places on the internet aren't that important. :P

By callmeroy on 4/29/2011 11:59:10 AM , Rating: 2

I'll admit I do have a generic password I share with all my mundane accounts -- forums (like this and various other ones i participate in) , some free game accounts use the same passwords...but...

My banking, mortgage and retirement accounts...completely unique and a mix of upper lower case symbols and numbers...

So if someone hacks my mundane account that's just annoying there's no "real" data linked to those accounts....

If someone hacks the banking one...well then that would suck...but that's why its a strong pw and I'm fanatical about what goes on my computers and how often its scanned for malware/viruses/etc.

By morphologia on 4/30/2011 6:25:28 PM , Rating: 1
"At the end of the day who knows if this "sale" is legit or if anyone will buy it. But this is a HUGE black mark for Sony as it represents one of the most grievous violations of customers trust to date."

So, basically, "the hacker community might be lying, but let's badmouth Sony as if they were telling the truth because they're a big, evil corporation?"

By DanNeely on 4/29/2011 9:20:42 AM , Rating: 3
It's also possible that Sony was storing the CVV/2 numbers even though they shouldn't have been. They wouldn't be the 1st company to do so; and unlike Visa/MasterCard/etc can't simply ban them from their services over it because Sony's just too big.

By kleinma on 4/29/2011 9:46:55 AM , Rating: 2
You don't always need a CVV2 code for a transaction to go through, even on an internet website. There are plenty of payment processing vendors that require nothing more than a credit card number, exp date (which you can usually make anything that is not yet expired) and an amount to process.

I know PayPal credit card processing services work like this, as do some others I have used in the past.

I am more surprised out of 70 million users only 2 million and change had a CC on file.

By Solandri on 4/29/2011 1:09:48 PM , Rating: 2
That's correct. The credit card companies all make the merchant liable for any fraud, so they give them tools which they can use to decide whether to accept or reject a transaction. The CVV2 code is one. A zip code / address / phone number check is another. All of these are optional security measures that the merchant can choose to use. They are not required for a transaction if the merchant chooses to forgo them.
I am more surprised out of 70 million users only 2 million and change had a CC on file.

IIRC, it's illegal (in the U.S.) to store a credit card number without the cardholder's consent. So probably 70 million used a credit card on PSN, but only 2 million opted to have PSN "remember" their credit card info so they wouldn't have to type it in again.

By cjohnson2136 on 4/29/2011 2:07:51 PM , Rating: 2
Sometimes the CVV number means nothing. The company I work has you enter a CVV number when you purchase your service but it could be completely wrong and it will still authorize. As long as it is a 3 or 4 digit number (I think it depends on the card) it will be approved.

By fredgiblet on 4/30/2011 4:27:35 PM , Rating: 2
AMEX requires 4 (they take the last digit off the front and move it to the back).

By lowsidex2 on 4/29/2011 10:17:59 AM , Rating: 2
It wasn't that they didn't store it. they didn't ask for it.

Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.'

Those of you with an account should know.( I don't). Sounds like this sale is meant to be a joke. Those guys probably knew who was listening in.

By Chris Peredun on 4/29/2011 1:56:27 PM , Rating: 2
It wasn't that they didn't store it. they didn't ask for it.


By SpaceRanger on 4/29/2011 4:05:44 PM , Rating: 2
Regardless of whether or not they asked for it, they would be breaking the rules as part of the PCI-DSS standard for compliance:

I'd go out on a limb and say that in the US, it's against the law to store the CVV/CVC/etc.

By cjohnson2136 on 4/29/2011 4:17:53 PM , Rating: 2
Really the CVV is just a worthless number. Some companies don't ask for it, and some don't even need the number to be correct. The company I work for doesn't validate whether the number on the card is correct because the machines that are used to swipe the card don't collect the information all we validate is whether the number is a 3 or 4 digit number depending on the brand of the card. So I doubt most companies even save that number since it is not used much.

By 4745454b on 4/29/2011 9:39:45 PM , Rating: 3
they would be breaking the rules

LOL, you think Sony cares about rules? I assume I don't need to remind you that they put a rootkit on some of their audio CDs so that if you played them in your computer it would get infected. And when caught, they released a "tool" to remove it, that only did more damage so that you had to reinstall windows. I don't think Sony cares at all about rules.

By CZroe on 4/29/2011 4:24:15 PM , Rating: 3
Wow. So Sony is out-right lying about never requesting it? Crazy. I based my post on what Sony said because I assumed that they wouldn't dare lie about something like that. Who knew?

Now, before re-reading their statement, I assumed that they used CVV/CSC for the initial verification before storing the other details because it ensures that you have the actual card and not a cloned skimmed/sniffed card (data is not in the mag strip or RFID). After that, they optionally stored everything else for convenience. Someone cloning your card wouldn't likely be making purchases on the same PSN account with the saved details, so there is no reason to require the CVV again unless it is being added to a new/different account. Otherwise, it's a stolen PSN account and not a stolen CC being used anyway. Verifying stored details with CVV is pointless. Storing it is a huge no-no because the whole point is to ensure physical access to the card by requiring something that cannot be copied electronically and can only be verified live by the CC company. Live interception by trojan, phish, etc, and physically seeing the card should be the only way to get one short of hacking the CC company.

By CZroe on 4/30/2011 12:20:31 AM , Rating: 2
Looks like Sony finally updated their statement and made this post on their blog:
"While we do ask for CCV codes, we do not store them in our database."

So, either the people are lying about having Sony's information with CVV codes, or Sony's lying about not storing them, or they've been compromised for a long time (years) and they have been intercepted at the moment of the first transaction.

By Moishe on 5/2/2011 4:31:01 PM , Rating: 3
Just days after the hack, I had a $1600+ dollar Hungarian plane ticket charged to my card... Coincidence? I think not.

Sony is a bunch of arseklowns for this breach.

Thank you
By tigz1218 on 4/29/2011 8:35:20 AM , Rating: 5
Thank you for the update Jason. Last I heard on most msm websites was that there was no evidence of CCs being stolen.

I canceled all of my cards and changed account passwords that used the same as my PSN password. I highly advise anyone who hasn't done this yet to get moving!

RE: Thank you
By DNAgent on 4/29/2011 8:55:16 AM , Rating: 3
I'll second that thanks. The worst part of this entire fiasco has been Sony's communication (or lack thereof) with their customers. One single email after 8 days of inexplicable service outage, and now that there is confirmation of stolen CC numbers we still have to learn about it from third parties.

Way to establish consumer confidence, Sony.

RE: Thank you
By CZroe on 4/29/2011 9:04:19 AM , Rating: 2
That's HARDLY confirmation. The details even conflict.

It's not uncommon in illegal trade circles for someone to lie about what they have and the CVV discrepancy points to it likely being a lie.

RE: Thank you
By theslug on 4/29/2011 11:15:23 AM , Rating: 2
I take this to mean you only cancelled cards that you had used on the PSN at one point?

RE: Thank you
By tigz1218 on 4/29/2011 12:47:13 PM , Rating: 2
That is correct, sorry should have worded that better.

RE: Thank you
By dubldwn on 4/29/2011 12:16:03 PM , Rating: 2
I just got off the phone with my CC company. They had a little spiel prepared where they told me not to worry about changing my card number, that I wouldn't be responsible for any charges, and that maybe I would be interested in some additional pay services, which I declined. Good enough for me.

RE: Thank you
By fcx56 on 4/29/2011 5:10:57 PM , Rating: 2
Hopefully you aren't planning on using some of the available funds associated with that card, if they do use it fraudulently you will potentially have to wait as they investigate the activty. A friend had her purse stolen and they used her VISA check card for purchases amounting to almost $3000. It was almost funny as they had used most of the money to pay utilities, which seems too obvious to me. The bank sorted everything out nicely although it still took around 20 days to get the majority back, with the remaining $200 coming almost two months later. The situation was handled, but wouldn't it be best still to avoid it all together? It certainly wasn't convienent, and the best part is that they issued her a new card to prevent future charges.

RE: Thank you
By Bonesdad on 4/30/2011 3:39:43 PM , Rating: 2
The last I heard there IS NO confirmation that CCs have been stolen and/or are actually being sold. The headline to this article is misleading and may in fact be false. Remember, Sony isn't the criminal in this case, though they certainly bear some responsibility for poor security.

and THIS. . .
By meluvcookies on 4/29/2011 9:31:52 AM , Rating: 3 why i buy my PSN cards at the grocery store instead of giving Sony my CC information. It's still awful enough that my personal info was compromised, but thankfully I trusted my instincts and didn't give my CC info to them.

RE: and THIS. . .
By theslug on 4/29/2011 11:01:47 AM , Rating: 1
You seem to imply that you knew well ahead of time that giving Sony your CC info was not safe. What gave you that insight? It seems to me that until now, everyone figured it was as safe as using your CC info with any legit online service.

RE: and THIS. . .
By meluvcookies on 4/29/2011 12:08:15 PM , Rating: 2
Any conscientious consumer that does business online is always going to try to minimize their exposure. I'm not saying that anyone can see something like this coming, but to not see it as possible is naive. Places like newegg, can't avoid giving CC info...but with the PSN making it so easy to just buy "credit" in $20's a no brainer IMO.

RE: and THIS. . .
By twhittet on 4/29/2011 2:29:07 PM , Rating: 2
Agreed. If PSN works like XBOX, then if you put your credit card in, they keep it on file and make it far to easy to use, and buying the card elsewhere protects yourself in multiple ways.

Class action lawsuit time
By GatoRat on 4/29/11, Rating: 0
RE: Class action lawsuit time
By MrTeal on 4/29/2011 1:43:52 PM , Rating: 3
Oh please. The lawyers will get a few million each, and everybody who signs on with the class action will get a "free" month of PSN access, a $10 discount on a PS4 purchase and a complementary Sony coaster.

RE: Class action lawsuit time
By Lerianis on 4/29/2011 4:12:32 PM , Rating: 1
How have they become a 'shit' company compared to say.. Microsoft, Apple, etc.?

I don't see where they have.

RE: Class action lawsuit time
By wilzu on 4/30/2011 8:41:45 AM , Rating: 2
Go out of business? Sony has got more than 11 billion dollars of cash and cash equivalents on their balance sheet. They would not even have to collect new equity or debt in order to pay off the equivalent of the second biggest class action lawsuit in history. Enron paid 7.2 billion.

RE: Class action lawsuit time
By Bonesdad on 4/30/2011 3:41:13 PM , Rating: 2
wow, rage-rant?

Sony should buy the database
By BugblatterIII on 4/29/2011 9:12:02 AM , Rating: 2

I'm debating whether to cancel my card. This may just be yet another scare that turns into nothing, but this is the first of those scares that's included MY credit card.

Given the number of legitimate transactions my card provider has blocked I'd hope that they'd catch anything nefarious, and as I understand it they're liable for any losses as long as I've taken reasonable precautions.

Hearsay on a news site is a long way from official notification, so I don't believe I can be blamed for not changing my details at this stage.

However if Sony confirms that the CC detais have been stolen then I think I'll go ahead and cancel the card, even though it's going to cause me lots of hassle.

I think when PSN is back up I'll be cancelling that too. What the hell all this information was doing in the same place I'd love to know. I'm development manager for an online travel insurance company. We take payments online but credit card information never even touches our systems. However we're still able to re-bill the credit cards. It's not that difficult; there's really no need to store the details on your own systems. They probably thought they were impregnable; arrogance pure and simple.

RE: Sony should buy the database
By crazyblackman on 4/29/2011 3:34:39 PM , Rating: 1
This is the DailyTech equivalent of a Fox New's "BREAKING NEWS" cut in.

Cue the condescending, arrogant narrator's voiceover leading in..."WE DISTORT, YOU DECIDE."

RE: Sony should buy the database
By Bonesdad on 4/30/2011 3:41:56 PM , Rating: 2

By Reclaimer77 on 4/29/2011 6:19:20 PM , Rating: 2
I think when PSN is back up...

You mean IF, right? In Internet years PSN has been down for 20.

If your data was stolen...
By Beenthere on 4/29/2011 9:56:13 AM , Rating: 4
...thank a hacker. I hope they catch this/these criminals and convict them.

RE: If your data was stolen...
By icanhascpu on 4/29/2011 10:28:59 PM , Rating: 1
Thank the hackers for showing us how poorly sony deals with this sort of thing.

By Flunk on 4/29/2011 8:57:28 AM , Rating: 2
Anyone who has ever used their card on PSN should call their credit card company and get them to issue you a new card. You have to be proactive and look after yourself.

RE: Seriously
By Jalek on 4/29/2011 5:16:15 PM , Rating: 2
It's been years since I bought anything from them, I wish I knew which card number they have. I'm sure they don't purge them after 3 years or anything sensible like that.

CC vs Password
By cigar3tte on 4/29/2011 11:35:59 AM , Rating: 4
I'm a lot more concerned about losing my password than I am about the credit card information.

By morphologia on 4/30/2011 6:21:29 PM , Rating: 2
The credit card info was protected by encryption and was separate from the other data. They don't have the credit card data, they just want people to think they to do further discredit Sony, out of spite. And people are lapping this up, fueled by the anti-corporation-hack-the-planet Anonymous fanboy worship.

Wake up...if Sony victimizes people by using them and deceiving them, what are Anonymous and GeoHot doing?

By Wiggy Mcshades on 5/1/2011 3:25:24 PM , Rating: 2
Sony got six pooled.

Misleading Title
By adiposity on 4/29/11, Rating: 0
RE: Misleading Title
By Bonesdad on 4/30/2011 3:43:20 PM , Rating: 1
Why voted down? Unless I missed something, this comment is accurate.

"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki