- A tech journalist recently penned a report that revealed a glaring security flaw that allows hackers to take over PlayStation accounts.
- As detailed in the report, the journalist's account was hacked using just his username and a transaction ID from an invoice that dates back to 2023.
- The hacker responsible also confirmed that this is a tried-and-tested method.
The PlayStation Network, or PSN, has had its fair share of security problems, ranging from data breaches to widespread hacks in the past. In most cases, users are able to get their accounts back by contacting online support, which makes the tale of Numerama’s Nicolas Lellouche even more peculiar.
The French journalist recently penned a report detailing how his PSN account was taken over by an unknown hacker. In the process, Lellouche also revealed a glaring security flaw that can seemingly sidestep the need for 2FA (Two-Factor Authentication) entirely. As it turns out, you don’t need to be a technical wizard to gain access to someone’s profile, as the required information for doing so seems pretty innocuous at first.
New PlayStation Breach Suggests Accounts Can Be Hacked Using Profile Names and Transaction IDs
As per the report, the journalist’s PlayStation account was hacked out of nowhere without prompting the required Two-Factor Authentication. The culprit quickly changed the account’s email and password, and even triggered a payment worth €9.99 to the owner’s PayPal account. Lellouche acted quickly and immediately disputed the charge before contacting PlayStation support about the issue.
It took some time, but the support agent was able to retrieve the account. What’s interesting is the information they required from the journalist, asking only for the account’s username and a transaction number from an invoice, regardless of how old it was. This, by itself, was an admission of how easily a hacker can take over an account, as all that’s needed is the username and the transaction ID from any of their purchases.
Unfortunately, Lellouche’s troubles didn’t end there, as the hacker managed to take over the account yet again. On this occasion, he chose to contact the hacker directly, who, after a bit of mockery, turned cooperative and spilled the beans behind his heist. As it turns out, the hacker nabbed the transaction ID off an article the journo posted back in 2023, combined it with the username, and gained access. After publishing the report, Lellouche received messages from readers who were also affected by the same security flaw, meaning this technique is tried and tested.
So, unless you want someone to hijack your digital games library, keep those transaction IDs well-secured. It’ll be interesting to see if PlayStation addresses this vulnerability in the future.
