Just days after listing more than 1 million decrypted Gmail and Yahoo accounts on a dark web marketplace, data vendor “SunTzu583” is allegedly back again, this time with more than 600,000 decrypted user accounts of PlayStation users.
The credentials, which include login email addresses and passwords in their clear-text form, are being offered for just $35.71 (around 0.0292 bitcoin), inside a price range the now-famous SunTzu538 has been comfortable valuing stolen data at.
The source(s) of the database still remain a mystery, although the dark web vendor has denied obtaining it directly from PlayStation servers.
In the description of the listing, he explains that the credentials are mainly for access into PlayStation user accounts, but can be used to access other platforms on the PlayStation network as well.
The authenticity of the data is yet to undergo independent verification, but IT security research experts reckon major data breaches of recent times involving PlayStation user accounts could be where the data was sourced from.
It should be noted that in 2015, 2.5 million Xbox and PlayStation user account details were accessed through a large data breach on two popular gaming forums (PSP ISO and Xbox360 ISO) that let gamers interact, download, upload, and share pirated copies of PS and Xbox games for free.
Information about the data breaches surprisingly remained unknown to the public until earlier this year when someone listed them on the dark web.
A similar incident took place back in 2014 and left details of more than 13,000 gamers exposed.
Again, the targets of this were mainly third party platforms, albeit a portion of the data was stolen directly from Microsoft’s Xbox console.
Several months ago, a significant number of PlayStation users reported that their accounts had been remotely accessed by unauthorized persons leading to loss of login authority, and in some cases, funds.
Sony denied that their servers had been breached and instead ascribed the hack to vulnerabilities on third party data breaches.
As to the matter at hand, Sony has yet to say anything but if the dark web vendor’s word is anything to go by, then the tech giant can fittingly use the same case as in the 2014 hack.
The dark web has provided a useful platform for journalists and whistleblowers to publish sensitive reports to the public anonymously for the better part of the past decade.
Evidently, it is not the only atypical business that has been going on there; hackers have been using the channel to share stolen data and, thanks to the recent growth of the bitcoin currency payment system, even make money out of it.
The sheer facts that a staggering 640,000 PlayStation user accounts can be listed for as little as $35 and one vendor is able to offer such big data dumps in a space of less than one month goes to show just how common and commercialized data breaches have become.
Experts have been quick to point out that the low price tags attached to data listings on dark web marketplaces are not just a sign of excess supply or desperation from vendors, however, but also the low demand such stolen data must command.
Numerous cases of major cyber-attacks have been reported this year alone, and the gaming industry hasn’t been an uncommon target prior to this incident.
More than a dozen top companies in the sphere, including LifeBoat, ESEA, Envoy, Epic Games, and Clash of Clans have had their data listed on dark web marketplaces over the last couple of months – most for a price in the aforementioned range.
Fortunately, users in most attacks do not lose their login authority and even get the time to change their credentials as the databases change ownership from seller to seller for weeks before disappearing from the dark web.
That said, account holders with the platforms that have been recently compromised, including PlayStation, are advised to change their credentials and use different passwords where the same email address is used to access more than one account.