The hackers who broke into the PlayStation Network are now reportedly attempting to sell the stolen credit card numbers on "underground hacker forums."
"The hackers that hacked PSN are selling off the DB," Keven Stevens, a security analyst with Trend Micro, wrote on Twitter. "They reportedly have 2.2 million credit cards with CVVs." With that ominous notice, the word went out that PSN customers who provided their credit card details to Sony are indeed facing a very real risk of fraud. He said the hackers are claiming the database includes full names, addresses, telephone numbers, email addresses, passwords, dates of birth, credit card numbers, CVV2s ["card verification values," the three-digit security code used to confirm the validity of the card in transactions where the card isn't present] and expiration dates - in other words, pretty much everything.
Stevens acknowledged that he hasn't seen the database and so cannot verify the truth of the claims, but dismissed suggestions that the attempted sale isn't actually happening. "It is not a rumor, it was a conversation on a criminal forum," he tweeted. He also noted that Sony was "supposedly" offered a chance to buy back the information but refused, although Sony's Patrick Seybold denied that claim, saying, "To my knowledge there is no truth to the report that Sony was offered an opportunity to purchase the list."
iSEC Partners security analyst Mathew Solnik said some of the people involved in conversations on hacker forums had detailed information about Sony's servers, suggesting "direct knowledge" of the attack. "Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers," he said.
The first claim of credit card fraud arising from the PSN hack was made yesterday by an Australian man, who noticed $2000 in new charges on his account including several $1 transactions made on April 23, typically evidence of test runs to determine if an account is valid. Other reports, including $1500 spent in a German grocery store with a U.S. credit card, have also begun to rise to the surface; there is no proof, however, that these charges are actually connected to the PSN breach.