Sony: “No truth” in credit card list sale, passwords were hashed

By Patrick Garratt

Sony has sought to dispel talk of over 2 million credit card numbers being offered for sale online, and has clarified how user passwords were stored on PSN before the service was hacked last month.

Speaking on the PS Blog, SCEA comms head Patrick Seybold said: “To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list.”

Trend Micro’s Kevin Stevens tweeted last Friday that he had seen that a list of 2.2 million credit card numbers was being offered for sale on hacker forums, and that the information had been offered to Sony for a price.

Further, Seybold explained exactly how credit card information had been stored on PSN following confusion over whether or not the data was “encrypted”.

“While the passwords that were stored were not ‘encrypted,’ they were transformed using a cryptographic hash function,” he said.

“There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.”

Seybold added that Sony continues “to work with law enforcement and forensic experts to identify the criminals behind the attack.”

PSN was hacked in mid-April and Sony took the entire service offline, warning that user information had been compromised.

Sony said in a press conference this weekend that services will begin to be restored this week.

Comments