Sony has admitted that personal details of its customers were stolen in an "external intrusion"into its PlayStation Network last week.
Sony took the PlayStation Network offline last Wednesday and was yet to determine when it would resume services. Sony foreshadowed at the time that something was amiss with the tweet reminding customers that it would never ask for their passwords.
In a blog post last night, it warned that "an unauthorised person" had stolen users' names, addresses, email addresses, birth dates, passwords and login information between April 17 and 19.
The hacker may also have obtained users' profile data, including buying history, billing address and password security answers, Sony wrote.
"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," Sony added.
"If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
On Saturday, Sony said it was rebuilding its systems and reiterated that it faced a security problem. However it did not shed any light on the nature of the problem, sparking fears that some of its 75 million customers’ credit card details could have been stolen by hackers.
“Our efforts to resolve this matter involve rebuilding our system to further strengthen our network infrastructure. Though this task is time consuming, we decided it was worth the time necessary to provide the system with additional security,” said company spokesman Patrick Seybold at the time.
Following the announcement last night, Graham Cluley, senior technology consultant at security vendor Sophos, warned that up to 70 million PlayStation Network users could be at risk of identity theft. That number may be as high as 77 million.
He warned that hackers could exploit the stolen information to break into users' other online accounts, launch phishing scams or malware attacks, or make purchases using stolen credit card information.
"This security breach is not just a public relations disaster for Sony, it's a very real danger for its many users," he wrote, urging users to change passwords, audit their online accounts, and monitor their credit card statements.
"The fact that credit card details ... may also have been stolen is obviously very worrying ... Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format."
"For once, we didn't do it"
Hacker collective Anonymous, which had launched #OpSony to protest against Sony’s legal action against PlayStation hackers Geroge Hotz and Graf_Chokolo, quickly denied responsibility for the network outage.
The group issued a statement on Friday that “For Once We Didn’t Do It”, claiming that Sony was using the collective’s “ill-will” toward it to conceal an internal server problem.
Unconfirmed reports soon after the disruption began suggested Sony servers were the targets of distributed-denial-of-service attacks using LOIC, a tool favoured by Anonymous, leading to the compromise of admin developer accounts.
Other online commentators subsequently speculated that Sony shut down its network in response to a firmware hack.
“Chesh420”, a moderator at the PlayStation modification and hacking forum, PSX-Scene, pointed to the custom firmware “Rebug”. Released on March 31, it allowed blacklisted units back on to Sony’s network by giving consumer units access to the developer domain of its network.
“It essentially turns a retail console into a dev console,” he explained in a post published on Reddit yesterday.
Access to this domain also allowed users to buy content with fake credit card details.
“What happened next was extreme piracy of PSN content. Sony realising the issue here shut down the network," Chesh420 speculated.