Unfortunately for Sony, it seems that our analysis was correct and that hackers have managed to compromise the PlayStation Network with dire consequences to the company and - more importantly - to its customers.
On the sixth day of the PSN outage Sony warned customers to watch out for identity-theft and credit card fraud as the hackers who breached the PSN have managed to blunder user names, passwords, addresses, birth dates, and other information belonging to 77 million customers.
According to an faq available on the official PlayStation Blog, Sony suspects that "an unauthorized person has obtained the following information provided by PlayStation Network/Qriocity account holders: name, address (city, state, zip), country, email address, birth date, PlayStation Network/Qriocity password, login, and handle/PSN online ID. Other profile data may also have been obtained, including purchase history and billing address (city, state, zip). If an account holder has authorized a sub-account for a dependent, the same data with respect to that dependent may have been obtained. If an account holder provided credit card data through PlayStation Network or Qriocity, it is possible that the credit card number (excluding security code) and expiration date may also have been obtained."
Several PSN users have already reported fraudulent charges of a few hundred dollars withdrawn from their debit and credit cards. Some of those charges were caught by banks' anti-fraud systems, but others went uninterrupted until victims noticed and reported them.
There is a consensus among security experts that the whole matter reeks of incompetence as it couldn't have occurred had Sony followed basic security guidelines such as never trusting the client side, never storing sensitive data unencrypted and never betting the whole system's security on a single key.
