LulzSec, the group behind the attack, originally said that one million accounts were vulnerable. The group only released the database files and logs for a portion of those users, however -- a portion that was in the range of 37,000 users. More precisely, the group said that the user information for at least a million users was vulnerable because of the insecurity of Sony's website.
Sony released a statement to the Wall Street Journal noting that "the website did not ask for any credit-card information." Instead, the personal data that was exposed from the site included "names, genders, addresses, email addresses, phone numbers, birth dates, user account names and passwords."
So in the grand scheme of things, last week's attack was more of an embarrassment for Sony than a large-scale risk for registered users. If you were registered at Sony Pictures websites and your name is on the lists released by Lulzsec, you need only worry about making sure your passwords on other sites are different, and that you have a good spam filter to deal with the extra unsolicited email that is likely to result. Your credit card details are safe. Still, the episode underscores the reality of web security in the modern age. It used to be that users could feel comfortable trusting big brands like Sony, organizations that had the resources to keep things secure.