More than 70m users of Sony’s online gaming network have had their names, e-mail addresses and passwords stolen by a hacker in one of the largest privacy breaches to date.
Sony announced on Tuesday that the information had been taken – six days after it closed the PlayStation Network – as it began e-mailing users of the free service with warnings to be on the lookout for scams.
The Japanese electronics and entertainment powerhouse said it was possible that credit card information had been taken as well, recommending that customers who had supplied those numbers online should review their bills carefully.
The breach is troubling because many Sony gamers are likely to have used the same passwords for e-mail and social networking accounts. The hacker could resell user name and password combinations to other criminals, who could take control of those accounts and mine them for bank account passwords or send bogus e-mails to friends’ addresses.
Sony said information taken in the breach included birth dates, home cities and possibly security questions and answers.
Security experts said PlayStation Network users who reused passwords should immediately change their login details on other sites.
The cache of e-mail addresses is one of the largest collections ever stolen, along with those from a breach disclosed last month by marketing firm Epsilon, said Jay Foley, executive director of the non-profit Identify Theft Resource Center.
E-mails alone can be valuable to criminals. In the week of the Epsilon hack, some users received messages directing them to a website where they could download an application that would supposedly help them track if their information was being misused. In fact, the application was a “keylogger” that recorded everything they typed on their computers, including passwords.
As the payments industry has increased security, scammers have turned to e-mail and other means as a stepping stone to win financial data, Mr Foley said.
Many Sony customers were outraged that the company had failed to warn them earlier that passwords might have been lost and had not encrypted them to begin with.
“If you have compromised my credit information, you will never receive it again,” one user wrote on Sony’s PlayStation Network blog. “The fact that you’ve waited this long to divulge this information to your customers is deplorable.”
Sony officials said on the blog that they hoped to have the service at least partially back up and running, with increased security, within a week – at which point users should immediately change their passwords.
Sony declined to answer additional questions.