Sony PlayStation Network hacked – millions of card details at risk?

The company, whose PSN has been down since last Wednesday, says that said that the data may have fallen into the hands of an "unauthorised person" following hack of the online service.

In a statement posted on the official PlayStation blog, Nick Caplin, the company's head of communications for Europe, said: "We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorised intrusion into our network."

"It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained," he added.

"For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information."

Sony has not indicated the hacker methodology or when the hack took place, but the service is reported to have around 70 million members worldwide.

According to Graham Cluley, senior security consultant with Sophos, the hack becomes a much bigger problem for users who have ignored advice about how to choose and use passwords.

"If you are a Sony customer and picked a password for your PlayStation account that matched the password for the email account you used to register at Sony, change your email password now", he said in his latest security blog.

Over at Stonesoft, Ash Patel, the firm's UK and Ireland manager, said that this is yet more evidence that hackers are more focused, persistent and resourceful than ever before.

"Businesses need to be more diligent than ever in ensuring there are no holes in their defences but, after years of warnings, it can't solely be that these large, well-resourced organisations don't have the right security products or strategy in place", he said.

"We have to assume that hackers are finding new ways around existing defences. The security industry and end-user organisations need to work more closely together to identify and tackle new security threats", he added.

Meanwhile, Christopher Boyd, senior threat researcher with GFI Software, said that the breach is extremely serious, but the key question is whether or not the person or group responsible was able to obtain the details of all 77 million PSN users or only some of them.

"Given the difficulties associated with confirming what has been compromised, Sony had no option but to go into full damage control mode in relation to the possibility of data theft and warn the public of the potential loss", he said.

"Keeping an eye out for unauthorised payments on credit and debit cards is a good idea for all users, but it's crucial that anybody reusing passwords across multiple accounts changes all their logins to be on the safe side", he added.

According to Boyd – who is a keen online gamer and is PaperGhost on Twitter – what is particularly frustrating for users of the PSN is that anybody unsure of what information is stored against their account, such as personal information, card details and password reset answers, won't know until the service is back online.

"It's crucial that access is restored as soon as possible so that users can confirm what information might have been compromised", he noted.

What’s Hot on Infosecurity Magazine?