"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," a company spokesman wrote Tuesday. Sony said in an FAQ posted today that the credit card data was encrypted and reiterated that it had no evidence the data was stolen.
However, Kevin Stevens, a security expert with Trend Micro, said in a tweet today he had seen discussions on online forums in which the purported hackers were offering to sell a database of 2.2 million Sony customer credit card numbers stolen during the PSN attack.
"Sony was supposedly offered a chance to buy the DB [database] back but didn't," Stevens said, adding that, "No, I have not seen the DB so I can not verify that it is true."
"Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date," he said, referring. The less obvious acronyms refer to credit card holders' first name, last name, credit card number, and credit card security code.
Internet security blogger Brian Krebs, who noted witnessing similar activity, posted screenshots of the discussion on his Krebs on Security blog.
Neither Stevens nor Krebs said they had seen the actual database, but the information may already be circulating among cybercriminals. Reports began trickling out yesterday from PSN users about recent fraudulent charges on the credit cards they used for the PlayStation service.
An employee of GameFly Media tweeted that a colleague's card was used to buy $1,500 worth of goods at a grocery store in Germany. Meanwhile, a reader of gaming site VGN365 said his bank had informed him of a fraudulent $300 debit card withdrawal this weekend.
And another person reported on video game forum site Neogaf.com $600 in fraudulent withdrawals.
The breach has already prompted a lawsuit and a letter to Sony from Connecticut Sen.
Richard Blumenthal saying he was troubled the company took a week to notify customers of the breach and urging Sony to provide free credit protection services to prevent identity fraud and theft.
Update April 29 at 1:47 p.m. PT The source of the initial tip, Trend Micro's Kevin Stevens, downplayed the significance of the finding today, posting a message on Twitter saying: "This #PSNHack is turning into a bunch of FUD, it really is. I posted up what I saw to warn people, not to incite the masses to create FUD."