 |
| PlayStation logo is shown |
A French journalist's PlayStation Network account was stolen twice in one day, revealing a security loophole that makes two-factor authentication almost useless—and places the blame on a surprisingly lax customer support protocol.
The PlayStation Network (PSN), still haunted by the memory of its 77-million-account data breach in 2011, faces renewed criticism. This time, the issue isn't a massive external hack, but a procedural flaw in its own support system that is handing accounts directly to thieves.
The One-Hour Double Hack
Nicolas Lellouche, a journalist for French tech publication Numerama, recently chronicled a digital nightmare on social media. A hacker gained control of his PSN account, changed the associated email and password, and even charged Lellouche €9.99 for the privilege of a username change.
When Lellouche contacted PlayStation Support, the recovery process seemed straightforward. He only needed to provide his username and a transaction number from an old billing invoice. Alarmingly, the presence of two-factor authentication (2FA) on his account did nothing to protect him or slow down the recovery.
Shockingly, just one hour after regaining access, his account was stolen again. Frustrated with support, Lellouche did something unusual: he directly contacted the hacker. The individual was cooperative, explaining they had used a transaction number Lellouche had inadvertently posted in an old article. The hacker's apparent goal wasn't financial gain but simply to play Call of Duty on the compromised account.
A Known Weakness in the "Trust" System
Lellouche’s troubling experience is not an isolated case. It highlights a critical vulnerability: account recovery can be gamed with minimal information. An invoice number, which can sometimes be found in screenshots shared online or in other compromised data, becomes a master key.
This flaw has been exploited in specialized cybercrimes within the gaming community. In October, a prolific trophy hunter known as dav1d_123 had his account stolen. In that instance, the hacker reportedly needed only the username to convince PSN support to hand over control. The stolen account, filled with hard-earned trophies, was then targeted for its value on a black market where such digital accomplishments are sold.
Security experts have long warned that support systems are a common weak point. The very process designed to help legitimate users can be socially engineered by attackers. Once an account's associated email is changed, the legitimate owner is locked out and must rely on the same support protocols that failed to verify identity adequately in the first place.
Echoes of a Larger Problem
The issue of account security extends beyond PlayStation. The digital ecosystem of modern gaming, where players invest thousands of dollars and years of progress into libraries, is a prime target.
In a similar recent case, an Xbox user lost access to 15 years' worth of purchased games after a hacker changed the email on his Microsoft account. Despite the user's proof of ownership, recovering the account proved to be a significant challenge. These incidents underscore a universal tension for platform holders: balancing robust security with accessible customer support.
What Sony Is Doing (And What You Should Do)
In the wake of the 2011 breach, which cost Sony an estimated $171 million and 24 days of total downtime, the company has worked to bolster its defenses. It now strongly promotes two-step verification, which adds a critical layer of security during the login process.
More recently, Sony has rolled out passkeys as a next-generation, password-less login alternative. Using device-based biometrics like fingerprints, passkeys are designed to be both more secure and more convenient, and are resistant to phishing attacks.
However, as Lellouche's case proves, these front-door security measures are bypassed entirely if the back-door recovery process is weak. For users, the lessons are clear:
- Never share transaction details or invoices publicly. A single posted screenshot can be the key to your account.
- Enable 2FA or passkeys immediately. While not foolproof against support exploits, it is the strongest barrier against direct login attacks.
- Use unique passwords. The 2011 breach exposed passwords, and reused credentials can lead to other accounts being compromised.
- Be vigilant for scams. Following any breach, be wary of phishing emails pretending to be from PlayStation Support.
Sony has stated that Lellouche's latest support ticket is under investigation. For millions of PlayStation users, the hope is that this investigation leads to a fundamental review of an account recovery process that currently appears to prioritize convenience over security, leaving years of gaming investments vulnerable to a single invoice number.
 |
| Translated Nicolas Lellouche X account post on PSN Hack |