A major PSN security vulnerability has been exposed, and any one of us could become a victim unless Sony tightens up its processes.
Earlier this week, I wrote a story about Sacred Symbols host Colin Moriarty, who was the victim of a social engineering scam which almost resulted in his PSN account being stolen from him.
Now a new podcast, in which Moriarty regales the entire sordid tale, has shed light on a potentially catastrophic flaw in Sony’s system, which could potentially affect us all.
Here’s what you need to know:
- This is not necessarily a hole in Sony’s network, and is not a hack in the traditional sense. It does not involve breaching the PSN and extracting information from a database.
- This does not involve phishing or extracting information from users via misleading webpages or emails.
- This is a social engineering scam which relies on the exposure of some minor personal details, such as an email address and a transaction date.
When I learned of Moriarty’s situation, I immediately contacted him to see if he’d ever inadvertently exposed a receipt or transaction ID on social media or in a livestream.
That’s because his situation reminded me of a similar story I was loosely aware of from last year, involving French journalist Nicolas Lellouche.
In essence, it’s possible to commandeer someone’s PSN account by taking advantage of sympathetic customer service representatives who will accept just a few pieces of personal information.
These may include:
- A PSN username
- An associated e-mail address
- A transaction ID or purchase date
If that seems unfathomable to you, X (or Twitter) user PorkPoncho put it to the test.
According to his report, embedded below, he was able to access his sister’s PSN account – with permission – by providing customer support with a minimal amount of easily accessible information, including two game purchases and the dates they were made.
As Moriarty notes in his podcast, this information could easily be inferred from publicly available Trophy data; it’d be reasonable to assume, for example, that if you started earning Trophies in Resident Evil Requiem on 27th February, launch day, you may have bought it on the same day.
Hackers may not know whether you purchased the game digitally or physically, but with enough attempts and with a sympathetic enough support agent, you may be able to relatively easily commandeer someone’s account.
Once inside, hackers are able to change email addresses, disable two-factor authentication, and remove passkeys – all without any further security blockades. Effectively, you’ll be locked out of your account with no recourse.
Moriarty acknowledges during the podcast that he was able to rapidly escalate his situation using his connections within Sony; many of us will not have the same privileges.
In fact, prominent members of the fanbase have been struck with similar scams, including Trophy hunter Hakoom, who was never able to recover access to his account.
Moriarty says he’s passed everything he’s learned on to Sony, and in fairness it does seem like the company is taking things seriously.
But it’s frightening to see how seemingly simple it is for any of us to have our accounts stolen; these accounts, of course, have our treasured PlayStation memories and, more importantly, potentially thousands of dollars of digital purchases attached.
I’ll contact Sony to see if it has any comment on any of this, and I’ll update if I learn more.
In the meantime, I would encourage you to browse through your social media history and see if you did ever inadvertently expose any transaction IDs or receipts. It’s probably best not to have those out in the public.
I’d also encourage you to listen to Moriarty’s story – which is available outside of Patreon early for all to listen to through here – as it really gets into the nitty-gritty of what actually occurred here, and why it’s something we should all be concerned about.
[source youtube.com, via x.com]