Sony Admits 10 Million Credit Card Accounts May Have Been Compromised

Sony Admits 10 Million Credit Card Accounts May Have Been Compromised

It’s a good thing Sony warned people to cancel their credit cards just in case, because as part of the company’s Tokyo press conference yesterday PlayStation boss Kaz Hirai admitted that up to ten million customer’s accounts could have been hacked into.

That’s not the personal details on their PSN account – all 77 million of those were up for grabs – that’s ten million customer’s credit card details. While this is still yet be “confirmed” by Sony, we’ve certainly heard from enough of you over the past seven days with tales of iffy online transactions to make it seem entirely possible.

While it’s been confirmed that CVV2 details – which are requested as part of PSN transactions, but not stored on Sony’s servers – were not obtained, it’s possible for hackers to obtain the three-digit codes via simple brute force, especially when they have their hands on the rest of the card’s details.

Read more coverage from Sony’s Tokyo PSN conference.


  • “It’s possible for hackers to obtain the three-digit codes via simple brute force, especially when they have their hands on the rest of the card’s details”
    Are there facts to back this up…? I would imagine that most credit card processing back-ends would trigger a lot of “fraud” detection bells if someone tried to use a card with multiple different CCV’s over a short period of time.
    That said, depending on the rulesets for the card; the CCV is not required more often than not.

    I imagine this will be quite costly for the card-providers and banks (not to mention Sony’s reputation); but I’m still failing to see how it will be much more than an inconvenience to the card holders (who are pretty much legally protected).

    Is there any solid word yet on whether the passwords leaked were hashed (and salted)? The last press I read indicated that they in fact where (where as initial press releases had suggested otherwise).

    • I still think that they would be able to Brute force some of them.

      for example, CCV is 3 numerical digits. There would therefore be 1000 possible combinations.

      If you have 10,000,000 credit cards, and for example, you just used CCV of 454, theoretically (law of large numbers etc) you should successfully guess 10,000 credit cards. Now lets assusme that each site allows 3 errors before it stops you transacting on that cars, then there should be another approx 20,000 accounts.

      I should therefore be able to get 30,000 credit cards with all required information.

      Now depending on how sophisticated the sites are and how the interact with the bank, the number is likely larger. Not to mention that of those 30,000 accounts, they can be used more than once.

      I have no idea what I am talking about btw, just as I see it brute force would have to yield some results.

      • Makes sense to me…as someone who also has no real idea.

        I hope Sonys new system works well, cause I just got a PS3 and I’m keen to go shopping on PSN (I’m more of a “fool me ten times” kinda guy)!

  • @Tyris, Passwords were indeed hashed according to yesterday’s press release, but in terms of encryption, there was no such encryption on passwords, only CC info.

  • I’m kind of lost, should I be cancelling my card or not? I didn’t want to jump the gun after the initial reports, but I’m kind of confused now as to whether they have my CC details, and if they can even use them.

    • Yeah that’d be nice to know. In the mean time I’ve just taken all the money off my card until further notice. Figure if there’s no money to take off it there’s nothing for me to loose.

      • Probably a wise course of action. I’ve actually got a separate credit card which isn’t linked to any other accounts, and with a very low ($1,000) limit. I use this for any situation where I have to let my credit card details out into the wild (e.g. PSN, direct debits for my phone and internet bills, any internet shopping etc). So worst case is that $1,000 gets ripped off it, which isn’t really catastrophic and, as other posters above pointed out, isn’t my problem anyway. And in any case that card expired just before the PSN outage and I hadn’t got around to updating PSN with the new details.

        So I’m not too concerned about the credit card, which just leaves my personal info (name, address, birthday etc). But to be honest I’ve been working on the assumption that’s already out here for a couple of years now anyway. There are just so many different places storing it, and so many ways for evildoers to get their hands on it, that it seems more likely than not that it’s already been obtained. Hell, if you’re enrolled to vote then those details are already on the electoral roll, and that information is in the hands of every political party in the country, and if you think all of them of them will keep it safe and secure then you’re a more trusting person than me.

    • Currently SONY, Visa, MasterCard and American Express have recommend that you remain cautious, though they don’t believe credit card information has been compromised it isn’t impossible so make sure you check for any charges that were not from you. Of course this doesn’t mean that getting your credit card replaced is a bad thing — it just isn’t really needed at the moment.

      As for brute force attacks on CVV2 numbers, i doubt that’ll be possible 1) incorrect CVV2 number attempts will eventually lock your card (I’m not sure on the numbers though there is a 24hr limit and monthly limit IIRC).

    • Cancel it. It’s less of a mindsnare than dealing with unauthorised transactions. Slide the thing between your cheeks to destroy the magnetic strip and fold it into a swan.

      Actually, don’t do that. Just cancel it.

  • thankfully for me i know the card stored on psn has long since expired as I haven’t purchased anything in awhile; the hackers got next to nothing from me.

  • IMHO I don’t think that whoever may be responsible for the hack will use our Card details for the simple reason it’s not us the gamers they are attacking, it’s Sony. As a consequence online PSN and Qriocity gamers have already paid the price of not being able to play online I don’t think accessing our finances and hurting users is what these guys are about their beef is with Sony. Besides any wise person checks their accounts for indescrepancies regularly anyway don’t they, there are more ways than just hardcore superhackers out there who can get these details, scammers, skimming machines…

  • I cancelled my card the day that Sony first outed that ‘credit card information may have been stolen’. Cut up my card, and a new one was resent to me within a couple of days; unexpected, for Commbank to actually be helpful for a change. The new card looks crap btw, it’s transparent…

    And just on another topic… is it possible that the Steam connection between Portal 2 users on PC/Mac and those on Ps3 could’ve caused this? As in giving the hackers a gateway through? Or just a side effect of George Hotz’s entrepreneurism?

Show more comments

Log in to comment on this story!