"My PSN account was hacked, seemingly as part of an ongoing sophisticated series of moves against both random and "prominent" users.

Indeed, I was told by someone a few days ago that I was going to be targeted, and he was right. (He was also hacked.)"

Colin shared quite the thread on Twitter yesterday afternoon.1 These types of hacks have been ongoing in the PlayStation community. I remember seeing a headline about the top trophy hunter in the world getting their account banged by hackers earlier this year.

"1.) I wasn't phished, didn't click on any links, didn't randomly put my password somewhere, etc. I am completely positive of this.

2.) At the time this happened, my email started getting spammed with hundreds of random emails from all sorts of sources (SubStack, EA, AliExpress, Slack... s—t I'm not even signed up for).

3.) I then got a text message that my PlayStation Network email address was changed. Then I got a text message saying 2FA was turned off.

Frankly, how can any of this even be possible if someone isn't feeding information from the inside or has some sort of bespoke access to things they shouldn't?"

I saw some replies speculating social engineering scams by calling support and pretending to be said user. PC Magazine did an article with other folks that have been hacked. It's seems like a mix of social engineering and an absolutely unhinged recovery process.

When you initiate an account recovery, you submit a PSN ID, the registered email address, the user's full name, and one other detail:

  • The first four and last four digits of the credit card number used on the account.
  • Serial number of the first console used to create or log into your account.
  • Order number for a recent transaction made on this PlayStation account.

I submitted an order number from 2023. The chatbot processed my request and let me register an entirely new email address for my PSN account. I didn't need to verify the process from the original email address at all...

...I was stunned because the process completely bypassed the passkey I had registered on my PSN account. The chatbot even asked me: "May I know if you also need help to disable extra security measures activated in the PlayStation account?" I said yes, and the passkey was gone.

I am not a betting man, but I'd wager that this chat system is one powered by a LLM, as they have taken over the technical chat support business. But even if you get in touch with a human on PlayStation's support team you can seemingly just keep casting out the phishing line until you get one willing to hand over the account. It all reminds me of "The Snapchat Thief" episode of Reply All. Customer service seems so willing to cater to users and positive reviews that they lack common security sense. In fact, it is identical:

In the meantime, the hijackings have been traced to hackers who are reselling dozens of stolen accounts on social media for hundreds or even thousands of dollars. They're focused on stealing accounts with desirable screen names, often created 20 years ago when PSN launched.

What makes this whole affair even more alarming is that Sony is mostly silent and unwilling to assist. Back to Colin,

"...they told me it will take three weeks for them to get to have any answers, which seems f—g insane. They removed my credit card info, etc., from the account in the interim, but seemingly couldn't mass-change the password and boot others off in the interim? Okay then. If I don't get my account back by tomorrow, I'll file with the Better Business Bureau, as has been recommended."

I am not sure filing with the Better Business Bureau would have helped Colin though. Pete Wenzler did just that and received this reply from Sony.

"...after which Sony told him it was 'unable to assist in gaining access to the account mentioned.'"

Colin went through PlayStation Support. His friends that work at PlayStation reached out and helped escalate the issue. He called Greg Miller. Thanks to all his friends and connections, Colin has his account back. I can't help wonder for how long though...

This is a major issue and Sony needs to address it immediately. While not to the scale of the infamous PSN Outage of 2011 or Insomniac's leak, this is a risk and removes all confidence in account security.2 How am I or anyone to trust two factor authentication with Sony? I thought about enabling my first passkey before writing this article, but clearly that matters not based off my research. There is no point to all these security measures if they can be removed with a old order number and zero verification. I am starting to underestimate the power of PlayStation.

Footnotes

  1. I refuse to call the text-based, reverse chronological social media platform any other brand name. Just like summer video game news will forever be "E3" to me.

  2. While this paragraph is quite serious, I won't miss an opportunity to link to one of the most legendary podcast episodes in the history of video games.