Sony has finally admitted that the continuing outage of the PlayStation Network was caused by a lone hacker and that millions of accounts, including credit card details, have been compromised as a result.
In a statement released last night, Sony's Patrick Seybold said, "We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorised intrusion into our network."
As a result of the attack Sony was forced to pull the plug on the PlayStation Network and Qriocity music locker services, as an unnamed outside security firm conducted investigations into what had happened, and to rebuild the entire network with improved security.
The company also admitted that, although forensic investigations were ongoing, it believed that 'an unauthorised person' had obtained the personal details of up to 77 million registered users.
That information could include all of the details provided when signing up for a PSN account including name, address, date of birth, email addresses, password and login details including security questions and answers.
Sony also warns that, while there is no evidence 'at this time' that credit card details were stolen, it cannot rule out the possibility. "If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained," the statement reads.
The biggest fear is that any information harvested may be used by those conducting phishing scams to obtain further information and Sony is warning subscribers to watch out for criminals who may obtain the stolen personal information.
"For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information," says the security statement. "If you are asked for this information, you can be confident Sony is not the entity asking."
Users are also warned that, once the network is rebuilt, compromised passwords should be changed.
"When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well."
Users are also advised to carefully monitor bank accounts and credit card statements for any unusual activity and to register with bureaus which can monitor applications for credit or attach a 'fraud alert' to your personal details to prevent illegal applications caused by identity theft.
Sony has been blasted by users and pundits for making the world wait six days before admitting such a serious security breach but the Japanese electronics giant says it took that long for 'outside security experts' to gauge the full scale of the attack.
We're guessing it will take much, much longer for the fallout from this security howler, which really shouldn't be possible with a company which spends so much of its time and energy preventing hackers from fiddling with their hardware, to die down.
You can expect the announcement of dozens of class action suits in the next few days which will almost certainly cost Sony millions, if not billions, not to mention the adverse affect of what will probably turn out to be months of awful publicity for the company.
Sony says it might be able to restore 'some services' within a week.