screenshot of a hacker forum

Security researchers said Thursday that they had seen discussions on underground Internet forums indicating that the hackers who infiltrated the Sony PlayStation Network last week may have made off with the credit card numbers of Sony customers.

The comments indicated that the hackers had a database that included customer names, addresses, usernames, passwords and as many as 2.2 million credit card numbers, the researchers said.

Kevin Stevens, senior threat researcher at the security firm Trend Micro, said he had seen talk of the database on several hacker forums, including indications that the Sony hackers were hoping to sell the credit card list for upwards of $100,000. Mr. Stevens said one forum member told him the hackers had even offered to sell the data back to Sony but did not receive a response from the company.

Although several researchers confirmed the forum discussions, it was impossible to verify their contents or the existence of the database.



When asked about the hackers’ claims, Patrick Seybold, senior director of corporate communications and social media at Sony, said, “To my knowledge there is no truth to the report that Sony was offered an opportunity to purchase the list.” Mr. Seybold also pointed to a blog post Sony published Thursday that said: “The entire credit card table was encrypted and we have no evidence that credit card data was taken.” Sony has said that it could not rule out the possibility that hackers might have obtained credit card data.

“Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers,” said Mathew Solnik, a security consultant with iSEC Partners who frequents hacker forums to track new hacks and vulnerabilities that could affect his clients. Mr. Solnik said that people on the forums had details about the servers used by Sony, which may indicate that they had direct knowledge of the attack.

Mr. Solnik said researchers believe that the hackers gained access to Sony’s database by hacking the PS3 console and from there infiltrating the company’s servers.

Dan Kaminsky, an independent Internet security specialist, said in a phone interview that he had also seen forum posts about a Sony credit card database, but he said he could not confirm who was behind the attack. “These attacks just keep getting larger and larger and larger,” he said. “The security measures technology companies employ today are just not robust enough.”

The San Diego office of the Federal Bureau of Investigation, which is helping Sony with its inquiry into the hacking incident, declined to comment.