An unidentified hacker reportedly breached the XBOX 360 and PlayStation Portable ISO forums compromising 2.5 million gamer accounts.

The breaches occurred approximately around September 2015 and compromised email addresses, account passwords and IP addresses, according to independent researcher Troy Hunt.

Gamers who use the accounts are advised to reset the passwords for all of their gaming accounts. Although the breaches may have affected a great deal of gamers, some researchers believe the gaming community may not be hit as hard as by the breach as some would think.

Xbox and PSP users are pretty tech savvy bunch with accounts for many different services, Jonathan Sander, vice president at Lieberman Software, told SC Media.

With all of the breaches that have plagued the gaming platforms, Sander said, if the Xbox and PSP crew haven’t learned that they can’t use the same email and password on every service by now, then likely it’s game over for their personal data.

“As breach after breach has shown that using the same username and password for multiple sites is a bad idea, you would have to imagine this group would have gotten that message by now,” Sander said. “When you see a dump of passwords hit a much less techie site, you can be sure that huge number of the victims are going to have to go around changing their credentials on the many sites where they foolishly used the same details over and over.”

Some researchers aren’t as optimistic and believe the breaches just serve as another example of consumers needing to practice safer habits with their information.

Unfortunately the damage may have already been done, Jeff Hill, Prevalent Director, Product Management at the security firm, Prevalent told SC Media.

“Like rushing to close the barn door after most of the horses have escaped, changing the passwords at the time of an announcement of a breach may provide some comfort but precious little protection,” Hill said. “The initial breach occurred in September 2015, giving the attackers 17 months to operate undetected, more than enough time to find and exfiltrate enough data to profit greatly from their efforts.”

Hill added that at this point its not even clear that the breaches were detected rather than the attacker milked the stolen information for what it was worth and rendered the rest useless. Other researchers weren’t as pessimistic as Hill but expressed a similar lack of optimism for those affected by the breaches.

“While this site is mostly used to distribute pirated copies of games, DVD’s and BluRays, consumers who use the forums need to make sure that they are vigilant, NuData Security Vice President of Business Development Robert Capps told SC Media. “Keep alert to any phishing scams that may appear in email as a result of this hack, changing passwords on any site where the passwords or usernames used on these sites are used.”

He went on to say that they data will likely be sold on the dark web and used for future cybercrime and that it’s a good reminder for users to choose unique passwords on all sites that require registration.

SC Media attempted to reach out to Sony for comment but they have yet to respond and Microsoft has declined to comment.

“Like rushing to close the barn door after most of the horses have escaped, changing passwords at the time of an announced breach may provide some comfort, but precious little protection. The initial breach occurred in September 2015, giving the attackers 17 months to operate undetected, more than enough time to find and exfiltrate enough data to profit greatly from their efforts.

“Like rushing to close the barn door after most of the horses have escaped, changing passwords at the time of an announced breach may provide some comfort, but precious little protection. The initial breach occurred in September 2015, giving the attackers 17 months to operate undetected, more than enough time to find and exfiltrate enough data to profit greatly from their efforts.

“Like rushing to close the barn door after most of the horses have escaped, changing passwords at the time of an announced breach may provide some comfort, but precious little protection. The initial breach occurred in September 2015, giving the attackers 17 months to operate undetected, more than enough time to find and exfiltrate enough data to profit greatly from their efforts.

“Like rushing to close the barn door after most of the horses have escaped, changing passwords at the time of an announced breach may provide some comfort, but precious little protection. The initial breach occurred in September 2015, giving the attackers 17 months to operate undetected, more than enough time to find and exfiltrate enough data to profit greatly from their efforts.

“Like rushing to close the barn door after most of the horses have escaped, changing passwords at the time of an announced breach may provide some comfort, but precious little protection. The initial breach occurred in September 2015, giving the attackers 17 months to operate undetected, more than enough time to find and exfiltrate enough data to profit greatly from their efforts.

“Like rushing to close the barn door after most of the horses have escaped, changing passwords at the time of an announced breach may provide some comfort, but precious little protection. The initial breach occurred in September 2015, giving the attackers 17 months to operate undetected, more than enough time to find and exfiltrate enough data to profit greatly from their efforts.