Arabic
A recent report revealed a serious security vulnerability in PlayStation Network that could put millions of users at risk after a French journalist’s account was hacked despite the activation of two-step verification.
According to Numerama , the incident began when the journalist’s account was hacked and the email associated with it was changed, in addition to charging a fee of 10 euros as a result of changing the username. Although he was able to restore his account by contacting PSN support by phone, what raised concern was the simplicity of the information required to complete the recovery process.
The report explained that the support staff only asked for the PSN account username and a transaction number from an old invoice without regard to its date. With this information alone, the journalist was able to restore his account, but the surprise was even greater when the account was hacked again in less than an hour.
In an attempt to understand what happened, the journalist contacted the hacker through a new account, and the latter confirmed that he obtained the invoice number from an old article published by the journalist, which included a picture of a PlayStation invoice. The hacker explained that this number enabled him to restore the account through Sony support easily, also claiming that he developed a tool to access Sony’s servers, a claim that has not been verified so far.
The journalist later re-established contact with PSN support, this time asking for additional information such as date of birth, original account email, and first username. After being informed of the severity of the vulnerability, the account was temporarily suspended with a 5-10 day wait to review the case.
Why is this vulnerability dangerous? Because billing numbers are often found in old emails, mistakenly posted in photos or posts, or easily accessible if the email is hacked, making the current verification mechanism via customer support a real vulnerability that may bypass even advanced security systems such as 2FA.
At the time of writing this news, Sony has not issued any official comment about the incident or its intention to modify the verification policies, which leaves big questions about the security of PSN accounts and pushes users to be very careful when sharing any information related to their bills or digital transactions.
