PSN support flaw lets attackers hijack PlayStation accounts
A PSN support procedure let attackers change account email, disable two-factor authentication and remove passkeys using a username, an associated email and a transaction or purchase date.
A weakness in PlayStation Network customer support procedures allowed attackers to take control of PSN accounts by providing a username, an associated email address and a transaction ID or purchase date.
The method relied on social engineering of support staff rather than a technical breach of Sony’s servers. Attackers who present those details to support agents have been able to request and obtain account changes.
In one case, a person gained access to a relative’s account after providing two recent game purchases and their dates. Publicly visible Trophy records can reveal when a player first earned trophies in a game, allowing an attacker to infer likely purchase dates for recent releases.
After support approved changes, attackers updated the account email, turned off two-factor authentication and deleted passkeys, leaving the original owner unable to access the account.
Affected users reported loss of saved data, Trophy history and digital game libraries that can be worth hundreds or thousands of dollars. Several users, including some well-known community members, reported never regaining control of accounts after similar incidents.
Colin Moriarty, host of a podcast, recounted an attempted scam that nearly resulted in loss of his account and reported he passed his findings to Sony for review. Sony has received reports from affected users and from people who ran tests on the support process and appears to be reviewing the issue.
Security experts and affected users warned that transaction IDs, receipts and other purchase details posted on social accounts or shown in streams can be used in these schemes. They recommended reviewing past posts and removing exposed receipts or identifiers to reduce what attackers can present during a support call.
Observers noted that stronger verification at the support level, such as requiring confirmation tied to the original account owner or additional proof of ownership, would reduce the risk of remote account takeover.
Whether social-engineering attacks are prevented in future cases will depend on Sony’s response and any changes to PSN support procedures.
The content on our website is provided for informational purposes only. We strive to keep our news accurate and up to date, but we cannot guarantee its completeness, reliability, or absolute accuracy.
ps5.news is not responsible for any errors, omissions, or decisions made based on this content. Any actions you take after reading our materials are at your own risk. Always verify important information through official sources where possible.
Articles by this author
