Following the famous PSN hack, several reports were published online and in print that a large section of the PSN database containing complete personal details along with credit card numbers is available for sale.
"Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date," Security researcher Kevin Stevens posted on twitter, "it is not a rumor, it was a conversation on a criminal forum."
Of course these reports contradict Sony's earlier statement that credit card data was encrypted.
Responding to those reports, Sony issued another statement, reassuring that the data was in deed encrypted.
"We want to state this again given the increase in speculation about credit card information being used fraudulently. One report indicated that a group tried to sell millions of credit card numbers back to Sony. To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list," Patrick Seybold senior Director, Corporate Communications & Social Media wrote on the official PlayStation blog.
"…While the passwords that were stored were not "encrypted," they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted."
Cryptographic hashing is a little bit more secure than leaving the data in the plain, but it is easier to crack than proper encryption.
As usual since the start of the debacle, Sony reminded users that it would never contact them in any way to ask for credit card number or any other personal information, and that any such requests are definitely scams.
In the meanwhile PSN users are advised to change their email and other services passwords and security questions if they contain data they used on the PSN. PSN users should also remember to login and change their passwords as soon as the service is back online.
