Report: Sony PlayStation Network Password Reset Page Exploited, Customer Accounts Potentially Compromised

According to reports on Nyleveia.com, Eurogamer, and NeoGAF, Sony's PlayStation Network password reset system — the one just put in place after the PSN hack — has been compromised, allowing hackers to change a PSN password if they know your email and date of birth. Exactly the sort of information that was released in the original hack.

Sony has taken the password reset system offline. Kotaku has reached out to Sony for comment.

Update 1: The good news (as pointed out by NeoGAF's "Metalmurphy") is that if your account was compromised, you should have gotten an email from PSN that says your password has been reset.

Update 2: An official community moderator on the EU PlayStation forums notes the following services are offline:

PlayStation.com

PlayStation forums

PlayStation Blog

Qriocity.com

Music Unlimited via the web client

All PlayStation game title websites

Update 3: This is the purported exploit as provided to Kotaku. As PlayStation services are now offline, this exploit is no longer able to be executed:

The procedure is as follows:

1) Navigate to : https://store.playstation.com/accounts/reset/resetPassword.action?token (this is normally, via email, https://store.playstation.com/accounts/reset/resetPassword.action?token=YYYYYYYYYYYYYYYYYYYYYYYY with the y's being a unique token) - do not enter the code at this point.

2) Open a new tab in firefox, and go to fr.playstation.com (other pages will work too most likely), and click Login (Connexion)

3) Click Recover password

4) Enter the email and date of birth of the target account

5) Click continue, then on the confirmation page, click "Reset using E-mail"

6) Switch back to the original tab, and enter the code, then click continue

7) You will now be asked to enter a new password for the target account

Republished from Kotaku


Comments

    *facepalm*

    Ridiculous!

    What sony should have done is that everyone's password should have been reset, and only send the reset details to their email addresses

    MarioC - Do you work for Sony by any chance?
    If you did that you would have just sent the *new* password to the hackers as well.
    The hackers have your email address, and they have your PSN password. If your email password happens to be the same as your PSN password (which for a large proportion of users, it will be) the hackers can just log in to your emai and grab your new account password.
    Although, considering they also have your Social Security ID, Credit Card details and home address, they're probably out buying cars and houses using your existing home as collateral, and are too busy enjoying the Dom Perignon on the pool deck to care about your Playstation password any more.

Join the discussion!

Trending Stories Right Now