Hackers are saying on underground internet chat rooms that they are in possession of the credit card numbers of Sony’s PlayStation Network customers, the New York Times said today.

If it’s true, that’s worrisome for Sony, which has been sued by angry users and which has yet to verify whether any of its customers’ credit card numbers — which Sony has said were encrypted — had been taken. Sony has sent warnings about the possible theft to more than 77 million registered PSN users. Since the whole user base may have been exposed, this case could be one of the largest hacks on record.

Security researchers said they have seen discussions on internet forums that indicate the hackers have customer names, addresses, usernames, passwords and as many as 2.2 million credit card numbers. Kevin Stevens, senior threat researcher at the security firm Trend Micro, told the New York Times that he saw talk about how Sony hackers were hoping to sell the credit card list for more than $100,000. Stevens said one forum member told him the hackers had offered to sell the data back to Sony itself, but the hackers had not received a response from the company.

One reader, who wished to remain anonymous, told us that he was informed by Sony yesterday that his credit card may have been compromised. He checked with his card issuer and found two charges totaling $400 that he had never made. He called his issuer and had the charges reversed. He had his card canceled and ordered a replacement.

Several other security researchers confirmed the forum discussions, but it was not possible to verify whether the hackers indeed were in possession of the database. Sony spokesman Patrick Seybold said there was no truth, as far as he knew, that Sony was offered an opportunity to buy back the list. Matthew Solnik, a security consultant with iSEC Partners, said he has heard that the hackers made it into the main database, which would have given them the access to the credit card numbers.

GamesBeat Summit - It's a time of change in the game industry. Hosted online April 28-29.

Solnik said researchers believe that the hackers gained access to the database by hacking the PS 3 console and then moving from there to the company’s servers.

[image credit: Techchunks]