An unauthorised person broke into Sony's PlayStation video game online network and stole names, addresses and possibly credit card data belonging to 77 million user accounts in what could be one of the largest-ever internet security breaches.
Sony learned that user information had been stolen from its PlayStation Network seven days ago, prompting it to shut down the network. But Sony did not tell the public until Tuesday.
The "illegal and unauthorised person" obtained people's names, addresses, email address, birthdates, usernames, passwords, logins, security questions and more, Sony said on its US PlayStation blog on Tuesday.
The shutdown of the PlayStation Network seven days ago prevented owners of Sony's video game console from buying and downloading games as well as playing with rivals over the Internet.
Alan Paller, research director of the SANS Institute, said this was the largest-ever breach of its type.
The breach is a major setback for the Japanese electronics maker. Although video game hardware and software sales have declined globally, the PlayStation franchise has been a steady seller and remains a flagship product for Sony.
Sony learned of the breach on April 19 and shut down the service immediately, a spokesman said.
Children with accounts established by their parents also may have had their data exposed, Sony said.
Sony said it saw no evidence that credit card numbers were stolen, but warned users that it could not rule out the possibility.
"Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained," Sony said.
Analysts said while Sony has notified its customers of the breach, it still has not provided information on how users' data may have compromised.
"This is a huge data breach," said Wedbush Securities analyst Michael Pachter.
"The bigger issue with Sony is how will the hacker use the info that has been illegally obtained?"
The online marketplace let users buy and play video games on their PlayStation consoles.
The company said user account information for the PlayStation Network and its Qriocity service users was compromised between April 17 and April 19.
The company said its users could place fraud alerts on their credit card accounts through three US credit card bureaus, which it recommended in its statement.
Sony, a unit of Sony Corp, said that it could restore some of the network's services within a week.
The company declined to comment on whether it was working with law enforcement or other parties in its investigation.
The online network launched in fall 2006 and offers games, music and movies to people with PlayStation consoles.
It had 77 million registered users as of March 20, a Sony spokesman said.