PlayStation Network hacked: Personal data of up to 70 million people stolen

PlayStation NetworkUsers of Sony’s PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of video game players.

The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the personal data of online gamers.

In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:

    * Name
    * Address (city, state, zip code)
    * Country
    * Email address
    * Date of birth
    * PlayStation Network/Qriocity password and login
    * Handle/PSN online ID

Sony statement

In addition, Sony warns that profile information – such as your history of past purchases and billing address, as well as the “secret answers” you may have given Sony for password security may also have been obtained.

Sign up to our free newsletter.
Security news, advice, and tips.

As if that wasn’t bad enough, Sony admits that it cannot rule out the possibility that credit card information may also have been compromised:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.

So how could hackers exploit the information stolen from the Sony PlayStation Network?

1. Break into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you.

So you should always use unique passwords.

Oh, and you better be sure that you have changed your “secret answers” too.

2. Email you phishing scams or malware attacks. If they stole your email address from Sony, they can now email you. And it wouldn’t be difficult for the cybercriminals to create an email which pretended to be a legitimate organisation (perhaps Sony themselves?) to steal more information or carried a Trojan horse designed to infect your computer. The fact that they know your name and snail-mail address could make the email even more convincing.

3. Hit you in the wallet. If your credit card details have been exposed by the Sony PlayStation Network hack then you could find fraudsters begin to make purchases from your account – if you notice that money is missing, you’ll have to go through the rigmarole of claiming the money back from your credit card company.

Sony controllerThis security breach is not just a public relations disaster for Sony, it’s a very real danger for its many users.

If you’re a user of Sony’s PlayStation Network now isn’t the time to sit back on your sofa and do nothing. You need to act now to minimise the chances that your identity and bank account becomes a casualty following this hack.

That means, changing your passwords, auditing your other accounts, and considering whether you should keep a closer eye on those credit card statements or simply telling your bank that as far as you’re concerned the card is now compromised.

Should you cancel your credit card?

Look at it this way.

Cancel credit card

If I lost my credit card in the back of a taxi I would cancel my card. I wouldn’t wait for a fraudster to sting it for cash. If Sony has lost your credit card details then it’s worse as the credit card information is now being held digitally, right in the hands of people best placed to exploit it.

So, yes. I would cancel my credit card.

More information can be found in Sony’s blog post and in their FAQ.

Update: Sony has now said that the credit card data was encrypted, but questions still remain about the strength of that encryption.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.