Hackers Hijack PlayStation Accounts via Support Calls
Attackers call PlayStation Support, pose as account owners using public details, and gain access despite two-factor and Passkey protections; Sony has not publicly responded.
Hackers are taking over PlayStation accounts by calling PlayStation Support and impersonating account owners with information available online, bypassing two-factor authentication and Passkey protections. Sony has not issued a public response to the pattern.
The issue first drew attention in December 2025 when French journalist Nicolas Lellouche posted a screenshot that included a transaction ID. Attackers used that single data point to persuade support staff they were the account owner and regained control. Lellouche reported that PlayStation Support initially said the case was flagged, but the same transaction ID continued to be used to compromise the account.
More recently, PlayStation podcaster and journalist Colin Moriarty reported his account was taken over using only publicly accessible information. Moriarty contacted public support channels without success and ultimately regained access through internal contacts at the company. He has said he will work to increase awareness of the problem.
Attackers collect basic personal or account-related details found online, then contact PlayStation Support and claim ownership. When a support agent accepts those details as proof, the agent can take actions that allow credential changes or account transfer. Reported victims include trophy hunters and public or semi-public account holders who did not expose sensitive transaction data.
Victims report that two-factor authentication and Passkey offer little protection when an account is surrendered during a support interaction. The incidents rely on social engineering of human agents rather than direct compromise of passwords or devices.
Affected users say they have notified Sony and posted public accounts of incidents, but the company has not outlined changes to support procedures. Responses from PlayStation Support have ranged from reassurances to remediation that victims describe as ineffective; several users recovered accounts only after internal intervention or using company contacts.
Security advisers and affected players recommend keeping the PlayStation sign-in email separate from any address used publicly and avoiding sharing account names or screenshots that include transaction or order IDs. These steps reduce the amount of verifiable information available during a support call.
Account-takeover attacks that exploit customer support channels target human verification processes rather than technical defenses. Reports of these PlayStation incidents span months and multiple high-profile victims, highlighting a gap in account-recovery workflows when verification relies on limited, publicly obtainable data.
Articles by this author
