Sony recently revealed that credit cards were encrypted in the PlayStation Network data breach, but didn't rule out the possibility that hackers had obtained card information. Now the New York Times reports that hackers are claiming to have a database with 2.2 million PSN users' credit card numbers, and they're offering it up for sale.
Kevin Stevens, a senior threat researcher at Trend Micro, noticed the discussions in various hacker forums, where he says they were offering to sell the list for more than $100,000. Researchers confirmed that the discussions are taking place, but there's no way to confirm if they really have the database.
Stevens also heard from one forum member that the hackers offered to sell the data back to Sony, but didn't receive a response. "To my knowledge, there is no truth to the report that Sony was offered the opportunity to purchase the list," said Sony corporate communications director Patrick Seybold, who also reiterated that the data was encrypted.
"Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers," said iSec Partners consultant Mathew Solnik. He also points out that the hackers on forums knew details about the servers, which could indicate direct knowledge.
Finally, the NYT notes that the San Diego office of the FBI is helping Sony in the investigation of the incident, but declined to comment.