Security researchers say the credit card information stolen in last week's hack of the Sony PlayStation Network is already up for sale on various internet forums.
Sony is still trying to insist that it's possible no credit card data was taken at all.
"While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," says head of communications Nick Caplin in an FAQ.
"If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code, sometimes called a CVC or CSC number) and expiration date may have been obtained."
But according to security researchers - and PlayStation Network users - the credit card information has indeed been taken, and is up for sale.
"The hackers that hacked PSN are selling off the DB. They reportedly have 2.2 million credits cards with CVVs," says Trend Micro security expert Kevin Stevens in a tweet. "Supposedly the hackers selling the DB says it has: fname, lnam, address, zip, country, phone, email, password, dob, ccnum, CVV2, exp date."
But, he warns, "It is not a rumor, it was a conversation on a criminal forum. I never saw the DB so I can't verify if it is real."
Some blogs, such as Lo-Ping, are posting what are claimed to be the chatlogs of the perpetrators - showing attempts by the hackers to sell the information back to Sony.
Sony now says the shutdown of the service is likely to last into the middle of next week, with only 'some services' available thereafter. It says it's moving its network infrastructure and data center to a new, more secure location.